b' DEPARTMENT OF HOMELAND SECURITY\n\n                Office of Inspector General\n\n\n         Information Technology Management\n         Letter for the FY 2006 DHS Financial\n                    Statement Audit\n                       (Redacted)\n\n\n\n\nNotice: The Department of Homeland Security, Office of Inspector General, has redacted\nthis report for public release. A review under the Freedom of Information Act will be\nconducted upon request.\n\n\n\n\nOIG-07-53                                                     August 2007\n                                                               (Revised)\n\x0c                                                                         Office of Inspector General\n\n                                                                         U.S. Department of Homeland Security\n                                                                         Washington, DC 20528\n\n\n\n\n                                             June 20, 2007\n\n                                              Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was established by\nthe Homeland Security Act of 2002 (Public Law 107-296) by amendment to the Inspector General\nAct of 1978. This is one of a series of audit, inspection, and special reports published by our office\nas part of our DHS oversight responsibility to promote economy, effectiveness, and efficiency within\nthe department.\n\nThis report presents the information technology (IT) management letter for DHS\xe2\x80\x99 financial statement\naudit as of September 30, 2006. It contains observations and recommendations related to\ninformation technology internal control that were not required to be reported in the financial\nstatement audit report (OIG-07-10, November 2006) and represents the separate restricted\ndistribution report mentioned in that report. The independent accounting firm KPMG LLP (KPMG)\nperformed the audit of DHS\xe2\x80\x99 FY 2006 financial statements and prepared this IT management letter.\nKPMG is responsible for the attached IT management letter dated December 15, 2006, and the\nconclusions expressed in it. We do not express opinions on DHS\xe2\x80\x99 financial statements or internal\ncontrol or conclusion on compliance with laws and regulations.\n\nThe recommendations herein have been discussed in draft with those responsible for\nimplementation. It is our hope that this report will result in more effective, efficient, and economical\noperations. We express our appreciation to all of those who contributed to the preparation of this\nreport.\n\n\n\n\n                                              Richard L Skinner\n                                              Inspector General\n\x0c                                  KPMG LLP\n                                  2001 M Street, NW\n                                  Washington, DC 20036\n\n\n\n\nDecember 15, 2006\n\nInspector General\nU.S. Department of Homeland Security\n\nChief Information Officer\nU.S. Department of Homeland Security,\n\nChief Financial Officer\nU.S. Department of Homeland Security,\n\nLadies and Gentlemen:\n\nWe were engaged to audit the balance sheet and statement of custodial activity of the U.S. Department of\nHomeland Security (DHS) as of September 30, 2006. We were not engaged to audit the consolidated\nstatements of net cost, changes in net position, and financing, and combined statement of budgetary resources\nfor the year ended September 30, 2006. Because of matters discussed in our Independent Auditors\xe2\x80\x99 Report,\ndated November 15, 2006, the scope of our work was not sufficient to enable us to express, and we did not\nexpress, an opinion on the consolidated balance sheet or the statement of custodial activity for the year ended\nSeptember 30, 2006.\n\nIn connection with our fiscal year 2006 engagement, we were also engaged to consider DHS\xe2\x80\x99 internal control\nover financial reporting and to test DHS\xe2\x80\x99 compliance with certain provisions of applicable laws, regulations,\ncontracts, and grant agreements that could have a direct and material effect on the consolidated balance sheet.\nOur procedures did not include examining the effectiveness of internal control and do not provide assurance on\ninternal control. We have not considered internal control since the date of our report.\n\nWe noted certain matters involving internal control and other operational matters with respect to\ninformation technology that are summarized in the Information Technology Management Comments on\nthe next page, and presented for your consideration in the sections that follow. These comments and\nrecommendations, all of which have been discussed with the appropriate members of management, are\nintended to improve internal control or result in other operating efficiencies. These comments are in\naddition to the reportable conditions presented in our Independent Auditors\xe2\x80\x99 Report, dated November 15,\n2006, included in the FY 2005 DHS Performance and Accountability Report. A description of each\ninternal control finding, and its disposition, as either a significant finding contributing to the material\nweakness for financial systems security, any remaining findings contributing to the material weakness for\nfinancial systems security, or an information technology management comment is provided in Appendix\nB. We have also included the current status of the prior year Notice of Findings and Recommendations in\n\x0cAppendix C. Our comments related to financial management have been presented in a separate letter to\nthe Office of Inspector General and the DHS Chief Financial Officer dated December 15, 2006.\n\nAs described above, the scope of our work was not sufficient to express an opinion on the balance sheet\nor statement of custodial activity of DHS as of September 30, 2006, and we were not engaged to audit the\nstatements of net cost, changes in net position, and financing, and combined statement of budgetary\nresources for the year ended September 30, 2006. Accordingly, other internal control matters and other\ninstances of non-compliance may have been identified and reported had we been able to perform all\nprocedures necessary to express an opinion on the September 30, 2006 balance sheet and statement of\ncustodial activity, and had we been engaged to audit the other fiscal year 2006, financial statements. We\naim, however, to use our knowledge of DHS\xe2\x80\x99 organization gained during our work to make comments\nand suggestions that we hope will be useful to you.\n\nWe would be pleased to discuss these comments and recommendations with you at any time.\nThis report is intended for the information and use of DHS\xe2\x80\x99 management, the Office of Inspector General,\nthe U.S. Office of Management and Budget, the U.S. Congress, and the Government Accountability\nOffice, and is not intended to be and should not be used by anyone other than these specified parties.\n\nVery truly yours,\n\x0c                 INFORMATION TECHNOLOGY MANAGEMENT LETTER\n\n                                     TABLE OF CONTENTS\n                                                                                            Page\n\nObjective, Scope and Approach                                                                1\n\nSummary of Findings and Recommendations                                                      2\n\nFindings by Audit Area                                                                       3\n\n       Entity-Wide Security Program Planning and Management                                  3\n\n       Access Controls                                                                       3\n\n       Application Software Development and Change Controls                                  3\n\n       System Software                                                                       4\n\n       Segregation of Duties                                                                 4\n\n       Service Continuity                                                                    4\n\n       Application Controls                                                                  4\n\n                                         APPENDICES\n\n    Appendix                                        Subject                                 Page\n\n\n                    Description of Key Financial Systems and IT Infrastructure within the\n        A                                                                                    8\n                    Scope of the FY 2006 DHS Financial Statement Audit\n\n\n\n                    FY 2006 Notice of IT Findings and Recommendations - Detail by DHS\n        B                                                                                    15\n                    Organizational Element\n\n\n\n                    Status of Prior Year Notices of Findings and Recommendations and\n        C                                                                                   122\n                    Comparison to Current Year Notices of Findings and Recommendations\n\n\n        D           Financial System Security FY 2006 Remediation Briefing                  137\n\x0c                                   Department of Homeland Security\n                               Information Technology Management Letter\n                                          September 30, 2006\n\n\n                    OBJECTIVE, SCOPE AND APPROACH\nWe performed an audit of DHS IT general controls in support of the FY 2006 DHS balance sheet and\nstatement of custodial activity audit engagement. The overall objective of our audit was to evaluate the\neffectiveness of IT general controls of DHS\xe2\x80\x99 financial processing environment and related IT\ninfrastructure as necessary to support the engagement. The Federal Information System Controls Audit\nManual (FISCAM), issued by the Government Accountability Office, formed the basis of our audit. The\nscope of the IT general controls assessment included testing at DHS\xe2\x80\x99 Office of the Chief Financial Officer\n(OCFO), and all significant DHS component as described in Appendix A.\n\nFISCAM was designed to inform financial auditors about IT controls and related audit concerns to assist\nthem in planning their audit work and to integrate the work of auditors with other aspects of the financial\naudit. FISCAM also provides guidance to IT auditors when considering the scope and extent of review\nthat generally should be performed when evaluating general controls and the IT environment of a federal\nagency. FISCAM defines the following six control functions to be essential to the effective operation of\nthe general IT controls environment.\n\n\xe2\x80\xa2   Entity-wide security program planning and management (EWS) \xe2\x80\x93 Controls that provide a framework\n    and continuing cycle of activity for managing risk, developing security policies, assigning\n    responsibilities, and monitoring the adequacy of computer-related security controls.\n\xe2\x80\xa2   Access control (AC) \xe2\x80\x93 Controls that limit and/or monitor access to computer resources (data,\n    programs, equipment, and facilities) to protect against unauthorized modification, loss, and disclosure.\n\xe2\x80\xa2   Application software development and change control (ASDCC) \xe2\x80\x93 Controls that help to prevent the\n    implementation of unauthorized programs or modifications to existing programs.\n\xe2\x80\xa2   System software (SS) \xe2\x80\x93 Controls that limit and monitor access to powerful programs that operate\n    computer hardware.\n\xe2\x80\xa2   Segregation of duties (SD) \xe2\x80\x93 Controls that constitute policies, procedures, and an organizational\n    structure to prevent one individual from controlling key aspects of computer-related operations, thus\n    deterring unauthorized actions or access to assets or records.\n\xe2\x80\xa2   Service continuity (SC) \xe2\x80\x93 Controls that involve procedures for continuing critical operations without\n    interruption, or with prompt resumption, when unexpected events occur.\n\nIn addition to testing DHS\xe2\x80\x99 general control environment, we performed application control tests on a\nlimited number of DHS financial systems and applications. The application control testing was\nperformed to assess the controls that support the financial systems\xe2\x80\x99 internal controls over the input,\nprocessing, and output of financial data and transactions.\n\n\xe2\x80\xa2   Application Controls (APC) - Application controls are the structure, policies, and procedures that\n    apply to separate, individual application systems, such as accounts payable, inventory, payroll, grants,\n    or loans.\n\nTo complement our general IT controls audit, we also performed technical security testing for key\nnetwork and system devices, as well as testing over key financial application controls. The technical\nsecurity testing was performed both over the Internet and from within select DHS facilities, and focused\n\n\n\n    Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                     1\n\x0c                                   Department of Homeland Security\n                               Information Technology Management Letter\n                                          September 30, 2006\n\non test, development, and production devices that directly support DHS financial processing and key\ngeneral support systems.\n\n      SUMMARY OF FINDINGS AND RECOMMENDATIONS\nMaterial weaknesses are reportable conditions in which the design or operation of one or more of the\ninternal control components does not reduce to a relatively low level the risk that misstatements caused by\nerror or fraud, in amounts that would be material in relation to the balance sheet or statement of custodial\nactivity being audited, may occur and not be detected within a timely period by employees in the normal\ncourse of performing their assigned functions. Because of inherent limitations in internal control,\nmisstatements due to error or fraud may nevertheless occur and not be detected.\nControls over IT and related financial systems are essential elements of financial reporting integrity.\nEffective general controls in an IT and financial systems environment are typically defined in six key\ncontrol areas: entity-wide security program planning and management, access control, application\nsoftware development and change control, system software, segregation of duties, and service continuity.\nIn addition to general controls, financial systems contain application controls, which are the structure,\npolicies, and procedures that apply to control access to an application, separate individuals from accessing\nparticular application modules such as accounts payable, inventory, payroll, grants, or loans, and assess if\nthe specific interface and edit controls are in place, as defined by management.\nDuring fiscal year 2006, DHS as an agency, improved its Federal Information Security Management Act\nresults, as reported by the DHS-Office of Inspector General. In addition, a few DHS components took\nactions to improve their IT general and application control environments and to address prior year IT\ncontrol issues; however, a number of DHS components did not make necessary improvements during the\nyear. During the 2006 IT testing, we identified over 200 separate findings, covering each DHS\ncomponent. DHS closed approximately 44% of our prior year IT findings; however, we identified over\n150 new IT findings through our test work this year. A significant number of findings were repeated in\nfiscal year 2006.\nThe control areas where the increases in the IT Notification of Findings and Recommendations (NFRs)\npresent an increased risk of impacting financial data integrity include: 1) excessive access to key DHS\nfinancial applications, 2) misconfigured logical security controls to key DHS financial applications and\nsupport systems; and 3) application change control processes that are inappropriate, and in other locations\nnot fully defined, followed, or effective. The re-issuance and the additionally identified internal control\nweaknesses were the result of a lack of needed prioritization of taking the necessary corrective actions.\nDespite the improvements in a few DHS components, several significant general IT and application\ncontrol weaknesses remain that collectively limit DHS\xe2\x80\x99 ability to ensure that critical financial and\noperational data is maintained in a manner to ensure confidentiality, integrity, and availability.\n\n\n\n\n   Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                     2\n\x0c                                  Department of Homeland Security\n                              Information Technology Management Letter\n                                         September 30, 2006\n\n\n                          FINDINGS BY IT AUDIT AREA\n1   Entity-wide security program planning and management \xe2\x80\x93 we noted:\n\n    \xe2\x80\xa2   Despite continued improvements in the process of performing Certification and Accreditation\n        (C&A) of IT systems, nine DHS component financial and associated feeder systems, at three\n        DHS components, were not properly certified and accredited, in compliance with DHS 4300A.\n    \xe2\x80\xa2   Instances of incomplete or inadequate policies and procedures associated with computer incident\n        response capabilities at four DHS components.\n    \xe2\x80\xa2   Instances where background investigations of contractors employed to operate, manage and\n        provide security over IT systems were not being properly conducted at three DHS components.\n    \xe2\x80\xa2   Instances of lack of compliance with DHS computer security awareness training requirements,\n        and/or lack of component policies for IT-based specialized security training at three DHS\n        components.\n\n2   Access controls \xe2\x80\x93 we noted:\n\n    \xe2\x80\xa2   A large number of instances of missing and weak user passwords on key servers and databases\n        which process and house DHS financial data at six DHS components.\n    \xe2\x80\xa2   A large number of instances where user account lists were not periodically reviewed for\n        appropriateness, and inappropriate authorizations and excessive user access privileges were\n        allowed at nine DHS components.\n    \xe2\x80\xa2   Instances where workstations, servers, or network devices were configured without necessary\n        security patches or were not configured in the most secure manner at five DHS components.\n    \xe2\x80\xa2   Instances where physical access to sensitive computer operations were not adequate at four DHS\n        components.\n\n3   Application software development and change control \xe2\x80\x93 we noted:\n\n    \xe2\x80\xa2   One DHS component implemented a separate and secondary change control process outside of\n        and conflicting with the established change control process. During our testing of this separate\n        process, we identified it to be informal, undocumented, and not effective.\n    \xe2\x80\xa2   Instances where policies and procedures regarding change controls were not in place to prevent\n        users from having concurrent access to the development, test, and production environments of the\n        system at four DHS components.\n    \xe2\x80\xa2   Instances where changes made to the configuration of the system were not always documented\n        through System Change Requests (SCRs), test plans, test results, or software modifications at\n        seven DHS components. Additionally, documented approval did not exist, or was not always\n        retained, for emergency enhancements, \xe2\x80\x9cbug\xe2\x80\x9d fixes, and data fixes, and in some cases, audit logs\n        for tracking changes to the data or systems were not activated.\n\n\n\n\n    Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                   3\n\x0c                                   Department of Homeland Security\n                               Information Technology Management Letter\n                                          September 30, 2006\n\n4   System software \xe2\x80\x93 we noted:\n\n    \xe2\x80\xa2   Instances where policies and procedures for restricting and monitoring access to operating system\n        software were not implemented or were inadequate at six DHS components. In some cases, the\n        ability to monitor security logs did not exist.\n    \xe2\x80\xa2   Instances where changes to sensitive operating system settings and other sensitive utility software\n        and hardware were not always documented.\n\n5   Segregation of duties \xe2\x80\x93 we noted:\n\n    \xe2\x80\xa2   Instances where individuals were able to perform incompatible functions, such as the changing,\n        testing, and implementing of software, without sufficient compensating controls in place at four\n        DHS components.\n    \xe2\x80\xa2   An instance where the policy and procedures to define and implement segregation of duties were\n        not properly developed and/or implemented at one DHS component.\n    \xe2\x80\xa2   Access control weaknesses identified during our IT testing also contributed to numerous instances\n        where access to data could lead to various incompatible function issues, including the override of\n        transactions at five DHS components.\n\n6   Service continuity \xe2\x80\x93 we noted:\n\n    \xe2\x80\xa2   Instances where incomplete or outdated business continuity plans and systems with incomplete or\n        outdated disaster recovery plans were noted at four DHS components. Some plans did not\n        contain current system information, emergency processing priorities, procedures for backup and\n        storage, or other critical information.\n    \xe2\x80\xa2   Service continuity plans were not consistently and/or adequately tested, and individuals did not\n        receive training on how to respond to emergency situations at four DHS components.\n\n7   Application controls \xe2\x80\x93 we noted:\n\n    \xe2\x80\xa2   Instances of weak or expired user passwords, user accounts that were not kept current, users with\n        excessive access privileges to certain key processes of an application, and key edit and business\n        rules not working as designed by management at nine DHS components. Many of the\n        weaknesses that were identified during our general control testing of access and segregation of\n        duties controls are also relevant to this area, since these same issues also impact controls over\n        specific key financial applications, and are thus reported here as well.\n\nCause/Effect: Many of these weaknesses were inherited from the legacy agencies that came into DHS or\nsystem development activities that did not incorporate strong security controls from the outset and will\ntake several years to fully address. At many of the larger components, IT and financial system support\noperations are decentralized, contributing to challenges in integrating DHS IT and financial operations.\nIn addition, financial system functionality weaknesses, as discussed throughout our report on internal\ncontrols in various processes, can be attributed to non-integrated legacy financial systems that do not have\nthe embedded functionality required by Office of Management and Budget (OMB) Circular No. A-127,\nFinancial Management Systems.\n\n\n    Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                     4\n\x0c                                   Department of Homeland Security\n                               Information Technology Management Letter\n                                          September 30, 2006\n\nFurther, there is no consistent and thorough testing of IT security controls by individual DHS components\nand by the DHS Office of the Chief Information Officer (CIO) to identify and mitigate such weaknesses.\n\nThe effect of these numerous IT weaknesses identified during our testing reduces the reliability of DHS\xe2\x80\x99\nfinancial data. Many of these weaknesses, especially those in the area of change control, may result in\nmaterial errors in DHS\xe2\x80\x99 financial data that are not detected, in a timely manner, in the normal course of\nbusiness. In addition, as a result of the continuous presence of serious IT deficiencies, there is added\npressure on the mitigating manual controls to be operating effectively at all times. Since manual controls\nare operated by people, there cannot be a reasonable expectation that they would be able to be in place at\nall times and in all areas.\n\nCriteria: The Federal Information Security Management Act (FISMA) passed as part of the E - Government\nAct of 2002, mandates that Federal entities maintain IT security programs in accordance with OMB and\nNational Institute of Standards and Technology (NIST) guidance. OMB Circular No. A-130, Management of\nFederal Information Resources, and various NIST guidelines describe specific essential criteria for\nmaintaining effective general IT controls. In addition OMB Circular No. A-127 prescribes policies and\nstandards for executive departments and agencies to follow in developing, operating, evaluating, and\nreporting on financial management systems. In closing, for this year\xe2\x80\x99s IT audit we assessed the DHS\ncomponent\xe2\x80\x99s compliance with DHS\xe2\x80\x99 Information Technology Security Program Publication, 4300A.\n\nRecommendations: We recommend that the DHS CIO in coordination with the OCFO make the\nfollowing improvements to the Departments financial management systems:\n\n1. For entity-wide security program planning and management:\n\n    \xe2\x80\xa2   Enforce through the DHS C&A program across all DHS components, a testing process which\n        goes beyond an assessment of in-place policies and procedures, to include tests of password\n        \xe2\x80\x9cstrength,\xe2\x80\x9d access lists, and software patches, of an application.\n    \xe2\x80\xa2   Enforce the consistent implementation of security programs, policies, and procedures, including\n        incident response capability and IT security awareness and training; and\n    \xe2\x80\xa2   Enforce DHS\xe2\x80\x99 policy to ensure that all contractors go through the appropriate\n        background/suitability check.\n\n2. For access control:\n\n    \xe2\x80\xa2   Enforce password controls that meet DHS\xe2\x80\x99 password requirements on all key financial systems;\n    \xe2\x80\xa2   Implement an account management certification process within all the components to ensure the\n        periodic review of user accounts for appropriate access;\n    \xe2\x80\xa2   Implement a DHS-wide patch and security configuration process, and enforce the requirement\n        that systems are periodically tested by individual DHS components and the DHS CIO; and\n    \xe2\x80\xa2   Conduct periodic vulnerability assessments, whereby systems are periodically reviewed for access\n        controls not in compliance with DHS and Federal guidance.\n\n\n3. For application software development and change control:\n\n\n   Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                    5\n\x0c                                    Department of Homeland Security\n                                Information Technology Management Letter\n                                           September 30, 2006\n\n\n    \xe2\x80\xa2   Implement a single, integrated change control process over the DHS components\xe2\x80\x99 financial\n        systems with appropriate internal controls to include clear lines of authority to the components\xe2\x80\x99\n        financial management personnel and to enforce responsibilities of all participants in the process\n        and documentation requirements;\n    \xe2\x80\xa2   Develop policies and procedures regarding change controls, and implement to ensure segregation\n        of change control duties; and\n    \xe2\x80\xa2   Enforce policies that require changes to the configuration of the system are approved and\n        documented, and audit logs are activated and reviewed on a periodic basis.\n\n4. For system software, monitor the use of and changes related to operating systems and other sensitive\n   utility software and hardware.\n\n5. For segregation of duties:\n\n    \xe2\x80\xa2   Document the user responsibilities so that incompatible duties are consistently separated. If this\n        is not feasible given the smaller size of certain functions, then sufficient compensating controls,\n        such as periodic peer reviews, should be implemented; and\n    \xe2\x80\xa2   Assign key security positions, and ensure that position descriptions are kept current.\n\n6. For service continuity:\n\n    \xe2\x80\xa2   Develop and implement complete current business continuity plans and system disaster recovery\n        plans; and\n    \xe2\x80\xa2   Perform component-specific and DHS-wide testing of key service continuity capabilities, and\n        assess the need to provide appropriate and timely emergency training.\n\n7. For application controls:\n\n    \xe2\x80\xa2   Implement policies to ensure that password controls meet DHS password requirements on all key\n        financial applications and feeder systems;\n    \xe2\x80\xa2   Implement an account management certification process to ensure the periodic review of user\n        accounts for appropriate access,\n    \xe2\x80\xa2   Document the user responsibilities so that incompatible duties are consistently separated. If this is\n        not feasible given the smaller size of certain functions, then sufficient compensating controls,\n        such as periodic peer reviews, should be implemented; and\n    \xe2\x80\xa2   Implement the appropriate oversight over the edit and interface controls to ensure that the\n        financial processes are operating as management had designed.\n\n\n\n\n   Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                     6\n\x0c                                 Department of Homeland Security\n                             Information Technology Management Letter\n                                        September 30, 2006\n\n\n\n\n                         Management Comments and OIG Evaluation\n\nWe obtained written comments on a draft of this report from the DHS CIO and DHS CFO. Generally, the\nDHS CIO and CFO agreed with all of the report\xe2\x80\x99s findings and recommendations. The DHS CIO has\ndeveloped a remediation plan to address these findings and recommendation. We have incorporated these\ncomments where appropriate and included a copy of the comments at Appendix D.\n\n\n\n\n   Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                 7\n\x0c                                                                              Appendix A\n\n                            Department of Homeland Security\n                        Information Technology Management Letter\n                                   September 30, 2006\n\n\n\n\n                                   Appendix A\n\nDescription of Key Financial Systems and IT Infrastructure within\n    the Scope of the FY 2006 DHS Financial Statement Audit\n\n\n\n\n Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                           8\n\x0c                                                                                          Appendix A\n\n                               Department of Homeland Security\n                           Information Technology Management Letter\n                                      September 30, 2006\n\n\nBelow is a description of significant DHS financial management systems and supporting IT\ninfrastructure included in the scope of the financial statement audit for the twelve months ended\nSeptember 30, 2006.\n\nUnited States Citizen and Immigration Services (USCIS)\n\nLocations of Audit: USCIS Headquarters in Washington, D.C., as well as offices in Texas, and\nVermont.\n\nKey Systems Subject to Audit:\n\n\xe2\x80\xa2   Federal Financial Management System (FFMS) \xe2\x80\x93 The Immigration and Customs Enforcement\n    (ICE) component owns and operates FFMS. ICE performs the financial reporting function for\n    USCIS, using FFMS per the shared services agreement with USCIS. FFMS is a commercial off-\n    the-shelf financial reporting system that was fully implemented in FY 2003. FFMS is the official\n    system of record and is built in Oracle 8i Relational Database Management System. It includes\n    the core system used by accountants, FFMS Desktop, which is used by average users, and a\n    National Finance Center payroll interface. FFMS supports all USCIS core financial processing.\n    FFMS uses a Standard General Ledger (SGL) for the accounting of agency financial transactions.\n\xe2\x80\xa2   Claims 3 Local Area Network (LAN) \xe2\x80\x93 Claims 3 LAN provides USCIS with a decentralized LAN\n    based system that supports the requirements of the Direct Mail Phase I and II, Immigration Act of\n    1990 (IMMACT 90) and USCIS forms improvement projects. The Claims 3 LAN is located at\n    each of the service centers (Nebraska, California, Texas, Vermont, and the National Benefits\n    Center). The main purpose of Claims 3 is to enter and track immigration applications.\n\xe2\x80\xa2   Claims 4 - The purpose of Claims 4 is to track and manage naturalization applications. Claims 4\n    resides on multiple platforms, including a Siemens E70 located in Dallas, Texas. Claims 4 data is\n    centrally stored within one Oracle Database. Software is developed and maintained in the Oracle\n    relational database and Microsoft Visual Basic environments.\n\nImmigration and Customs Enforcement (ICE)\n\nLocations of Audit: ICE Headquarters in Washington, D.C., as well as offices in Texas, and\nVermont.\n\nKey System Subject to Audit:\n\nFederal Financial Management System (FFMS) \xe2\x80\x93 ICE owns and operates FFMS. ICE performs\naccounting services for other DHS components, such as the USCIS, Management Directorate and US-\nVisit, using FFMS per the shared services agreement these agencies have with ICE. FFMS is a\ncommercial off-the-shelf financial reporting system that was fully implemented in FY 2003. FFMS is\nthe official system of record and is built in Oracle 8i Relational Database Management System. It\nincludes the core system used by accountants, FFMS Desktop that is used by average users, and a\nNational Finance Center payroll interface. FFMS supports all USCIS/ICE core financial processing\nand uses a SGL for the accounting of agency financial transactions.\n\n\nInformation Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                9\n\x0c                                                                                          Appendix A\n\n                               Department of Homeland Security\n                           Information Technology Management Letter\n                                      September 30, 2006\n\nDepartmental Operations\n\nLocations of Audit: ICE Headquarters in Washington, D.C.\n\nKey Systems Subjected to Audit:\n\nFederal Financial Management System (FFMS) \xe2\x80\x93 ICE owns and operates FFMS. ICE performs the\nfinancial reporting function for USCIS and departmental operations using FFMS per the shared\nservices agreement these agencies have with ICE. FFMS is a commercial off-the-shelf financial\nreporting system that was fully implemented in FY 2003. FFMS is the official system of record and\nis built in Oracle 8i Relational Database Management System. It includes the core system used by\naccountants, FFMS Desktop that is used by average users, and a National Finance Center payroll\ninterface. FFMS supports all USCIS/ICE core financial processing and uses a SGL for the\naccounting of agency financial transactions.\n\nUnited States Coast Guard\n\nLocations of Audit: Coast Guard Headquarters in Washington, DC; the Aviation Repair and Supply\nCenter (ARSC) in Elizabeth City, North Carolina;\n\n                                                     .\n\nKey Systems Subject to Audit:\n\n\xe2\x80\xa2   Core Accounting System (CAS) \xe2\x80\x93 CAS is the core accounting system that records financial\n    transactions and generates financial statements for the Coast Guard. CAS is hosted at            ,\n    the Coast Guard\xe2\x80\x99s primary data center.\n\xe2\x80\xa2   Financial Procurement Desktop (FPD) \xe2\x80\x93 The FPD application used to create and post obligations\n    to the core accounting system. It allows users to enter funding, create purchase requests, issue\n    procurement documents, perform system administration responsibilities, and reconcile weekly\n    Program Element Status reports.\n\xe2\x80\xa2   Workflow Imaging Network System (WINS) - WINS is the document image processing system,\n    which is integrated with an Oracle Developer/2000 relational database. WINS allows electronic\n    data and scanned paper documents to be imaged and processed for data verification,\n    reconciliation and payment. WINS utilizes MarkView software to scan documents and to view\n    the images of scanned documents and to render images of electronic data received.\n\xe2\x80\xa2   Checkfree - The Checkfree system is used to aid in the account reconciliations for the CAS.\n    General Ledger extracts are imported into the system and automated passes are run to match\n    transactions for reconciliation purposes. The results will later be loaded into CAS. This system is\n    hosted on a Windows server and resides at the Coast Guard\n\xe2\x80\xa2   Naval Electronics Supply Support System (NESSS) \xe2\x80\x93 Formerly named the Supply Center\n    Computer Replacement System, NESSS is hosted at             . NESSS is the primary financial\n    application for the Engineering Logistics Command (ELC), the Supply Fund, and the Coast\n    Guard Yard fund. Also housed at           is the Fleet Logistics System, a web-based application\n    designed to automate the management of Coast Guard vessel logistics by supporting the following\n\n\nInformation Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                10\n\x0c                                                                                            Appendix A\n\n                               Department of Homeland Security\n                           Information Technology Management Letter\n                                      September 30, 2006\n\n    functions: configuration, maintenance, supply and finance. In addition,      is responsible for\n    the Configuration Management Plus System, the central repository for activities associated with\n    maintaining Coast Guard assets at the unit level.\n\nSeveral other key Coast Guard financial applications support military personnel and payroll, retired\npay, and travel claims. These applications are hosted at the Coast Guard\xe2\x80\x99s        These applications\ninclude the Personnel Management Information System and the Joint Uniform Military Pay System.\nAlso housed at       is the PeopleSoft 8.3 Direct Access application, which is used by members for\nself-service functions, including updating and viewing personal information.\n\nUnited States Customs and Border Protection (CBP)\n\nLocations of Audit:\n\n\nKey Systems Subject to Audit:\n\n\xe2\x80\xa2                    is a client/server-based financial management system that was implemented\n    beginning in FY 2004 to ultimately replace the                                               using a\n    phased approach. The                                           was implemented and utilized in FY\n    2004. In FY 2005, the Funds Management, Budget Control System, General Ledger, Internal\n    Orders, Sales and Distribution, Special Purpose Ledger, and Accounts Payable modules were\n    implemented.\n\xe2\x80\xa2                                                   is a collection of mainframe-based applications\n    used to track, control, and process all commercial goods, conveyances and private aircraft\n    entering the United States territory, for the purpose of collecting import duties, fees, and taxes\n    owed the Federal government.\n\nDHS Consolidated\n\nLocation of Audit: DHS Headquarters in Washington, D.C.\n\nKey Systems Subject to Audit:\n\n\xe2\x80\xa2   Treasury Information Executive Repository (TIER) \xe2\x80\x93 The system of record for the DHS\n    consolidated financial statements is TIER. The DHS components update TIER on a monthly\n    basis with data extracted from their core financial management systems. TIER subjects\n    component financial data to a series of validation and edit checks before it becomes part of the\n    system of record. Data cannot be modified directly in TIER, but must be resubmitted as an input\n    file.\n\xe2\x80\xa2   CFO Vision \xe2\x80\x93 CFO Vision interfaces with TIER, and is used for the consolidation of the financial\n    data and the preparation of the DHS financial statements.\n\nThe TIER and CFO Vision applications reside on the Department of Treasury\xe2\x80\x99s (Treasury) network\nand are administered by Treasury. Treasury is responsible for the administration of the TIER\n\n\nInformation Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                 11\n\x0c                                                                                        Appendix A\n\n                              Department of Homeland Security\n                          Information Technology Management Letter\n                                     September 30, 2006\n\nWindows NT server, Oracle 8i database, and the TIER and CFO Visions applications. The DHS\nOffice of Financial Management is responsible for the administration of DHS user accounts within\nthe TIER and CFO Vision applications.\n\nFederal Law Enforcement Training Center\n\nLocation of Audit:\n\n\nKey Systems Subject to Audit:\n\n\xe2\x80\xa2   Momentum: FLETC\xe2\x80\x99s core computerized system that processes financial documents generated by\n    various FLETC divisions in support of procurement, payroll, budget and accounting activities.\n\xe2\x80\xa2   Procurement Desktop: Procurement Desktop is the procurement management system, which is\n    used for the tracking of procurement activities at various FLETC locations. The system resides on\n    an Oracle database and the front-end of the system is integrated with Momentum.\n\nFederal Emergency Management Agency (FEMA)\n\nLocations of Audit: FEMA Headquarters in Washington, D.C., and the\n\n\nKey Systems Subject to Audit:\n\n\xe2\x80\xa2   Integrated Financial Management Information System (IFMIS) \xe2\x80\x93 IFMIS is the key financial\n    reporting system, and has several feeder subsystems (budget, procurement, accounting, and other\n    administrative processes and reporting).\n\xe2\x80\xa2   National Emergency Management Information System (NEMIS) \xe2\x80\x93 NEMIS is an integrated system\n    to provide FEMA, the states, and certain other federal agencies with automation to perform\n    disaster related operations. NEMIS supports all phases of emergency management, and provides\n    financial related data to IFMIS via an automated interface.\n\xe2\x80\xa2   Transaction Record Reporting and Processing (TRRP): The TRRP application acts as a central\n    repository of all data submitted by the Write Your Own (WYO) companies. TRRP also supports\n    the WYO program, primarily by ensuring the quality of financial data submitted by the WYO\n    companies to TRRP. TRRP is a mainframe-based application that runs on the National Flood\n    Insurance Program (NFIP) mainframe logical partition in Norwich, CT.\n\xe2\x80\xa2   Traverse: The general ledger application used by CSC to generate the NFIP financial\n    statements. Traverse is a client-server application that runs on a Windows server in Lanham,\n    MD, which is secured in the local area network room. The Traverse client is installed on the\n    desktop computers of the NFIP Bureau of Financial Statistical Control group members.\n\n\nGrants and Training (G&T)\n\nLocation of Audit: G&T Headquarters in Washington, D.C.\n\n\nInformation Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                               12\n\x0c                                                                                       Appendix A\n\n                              Department of Homeland Security\n                          Information Technology Management Letter\n                                     September 30, 2006\n\n\nKey Systems Subject to Audit:\n\nG&T\xe2\x80\x99s IT platforms are hosted and supported by the Department of Justice\xe2\x80\x99s Office of Justice\nPrograms (OJP). The following is a list of key financial related applications supporting G&T.\n\xe2\x80\xa2 IFMIS (same application as FEMA\xe2\x80\x99s, but hosted at OJP) \xe2\x80\x93 IFMIS consists of five modules that\n   include: budget, cost posting, disbursement, general ledger, and accounts receivable. Users\n   access the system through individual workstations that are installed throughout G&T and OJP.\n   The current IFMIS version does not have the ability to produce external federal financial reports\n   (i.e., SF132 and SF133) and financial statements. IFMIS was updated in February 2002 with the\n   version certified by the Joint Financial Management Improvement Program.\n\xe2\x80\xa2 Grants Management System (GMS) \xe2\x80\x93 GMS supports the G&T grant management process\n   involving the receipt of grant applications and grant processing activities. GMS is divided into\n   two logical elements. There is a grantee and an administration element within the system. The\n   grantee component provides the Internet interface and functionality required for all of the\n   grantees to submit grant applications on-line. The second component, the administration\n   component, provides SLGCP/OJP personnel the tools required to store, process, track and\n   ultimately make decisions about the applications submitted by the grantee. This system does not\n   interface directly with IFMIS.\n\xe2\x80\xa2 Line of Credit Electronic System (LOCES) \xe2\x80\x93 The LOCES allows recipients of SLGCP funds to\n   electronically request payment from OJP on one day and receive a direct deposit to their bank for\n   the requested funds usually on the following day. Batch information containing draw down\n   transaction information from LOCES is transferred to IFMIS. The IFMIS system then interfaces\n   with Treasury to transfer payment information to Treasury, resulting in a disbursement of funds\n   to the grantee.\n\xe2\x80\xa2 Paperless Request System (PAPRS) \xe2\x80\x93 This system allows grantees to access their grant funds.\n   The system includes a front and back end application. The front-end application provides the\n   interface where grantees make their grant requests. The back end application is primarily used by\n   accountants and certifying officials. The back end application also interfaces with the IFMIS\n   application. Batch information containing draw down transaction information from PAPRS is\n   interfaced with IFMIS. The IFMIS system then interfaces with Treasury to transfer payment\n   information to Treasury, resulting in a disbursement of funds to the grantee.\n\nTransportation Security Administration (TSA)\n\nLocations of Audit: TSA Headquarters in Washington, D.C. and the\n                    . TSA\xe2\x80\x99s financial applications are hosted on the Coast Guard\xe2\x80\x99s IT platforms.\n\n\nKey Systems Subject to Audit:\n\n\xe2\x80\xa2   Core Accounting System (CAS) \xe2\x80\x93 CAS is the core accounting system that records financial\n    transactions and generates financial statements for TSA. CAS is hosted at         the Coast\n    Guard\xe2\x80\x99s primary data center.\n\n\n\nInformation Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                              13\n\x0c                                                                                        Appendix A\n\n                              Department of Homeland Security\n                          Information Technology Management Letter\n                                     September 30, 2006\n\n\xe2\x80\xa2   Financial Procurement Desktop (FPD) \xe2\x80\x93 The FPD application is used to create and post\n    obligations to the core accounting system. It allows users to enter funding, create PR\xe2\x80\x99s, issue\n    procurement documents, perform system administration responsibilities, and reconcile weekly\n    PES Reports.\n\xe2\x80\xa2   Sunflower: The Sunflower system is the property management system, which is used for the\n    tracking of property at TSA locations. The system resides on an Oracle database and the front-end\n    of the system is integrated with the CAS user interface. Sunflower is hosted at the           the\n    Coast Guard\xe2\x80\x99s primary data center.\n\n\n\n\nInformation Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                               14\n\x0c                                                                             Appendix B\n\n                           Department of Homeland Security\n                       Information Technology Management Letter\n                                  September 30, 2006\n\n\n\n\n                                   Appendix B\n\nFY2006 Notice of IT Findings and Recommendations - Detail by\n                DHS Organizational Element\n\n\n\n\nInformation Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                         15\n\x0c                                                                                         Appendix B\n\n                           Department of Homeland Security\n                       Information Technology Management Letter\n                                  September 30, 2006\n\n\n\n\n                Department of Homeland Security\n                 FY2006 Information Technology\n     Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n\n             United States Citizenship and Immigration Services\n\n\n\n\nInformation Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                         16\n\x0c                                                                                                                            Appendix B\n\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2006\n\n                                              Department of Homeland Security\n                                               FY2006 Information Technology\n                                   Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n                                              Citizenship and Immigration Services\n\n                                                                                                                         Repeat      Risk\nNFR #               Condition                                      Recommendation                            New Issue\n                                                                                                                          Issue     Rating\nUSCIS   The National Benefits Center          Define and document the various                LAN roles and\n06-01   (NBC) has not defined or              their associated user permissions as they pertain to NBC.\n        documented the appropriate user\n                                                                                                                X                    Low\n        permissions for the various roles\n        granted to             Local Area\n        Network (LAN).\nUSCIS   NBC does not perform periodic         \xe2\x80\xa2   Ensure that the NBC IT Department annually review the\n06-02               LAN user access               list of            LAN system administrators and\n        reviews to ensure that users\' level       Database Administrators as well as review and approve\n        of access remains appropriate.            access level list.\n                                              \xe2\x80\xa2   Ensure that NBC management annually review and\n                                                  approve the lists of employees stating the appropriate        X                  Medium\n                                                  level of access for each NBC employee with access to\n                                                              LAN.\n                                              \xe2\x80\xa2   Require the NBC IT Department to exercise its oversight\n                                                  role to ensure necessary adjustments in NBC\n                                                  LAN account access levels are accomplished. based on\n                                                  the input.\n\n\n\n\n               Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                    17\n\x0c                                                                                                                           Appendix B\n\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2006\n\n                                                                                                                        Repeat     Risk\nNFR #               Condition                                     Recommendation                            New Issue\n                                                                                                                         Issue    Rating\nUSCIS   Management at the USCIS               Establish procedures for the completion and maintenance of       X                  Medium\n06-03   Headquarters and the Service          user access forms for                                 and\n        Centers (Nebraska, California,        CISCOR users.\n        Texas, and Vermont) has not\n        completed or inadequately\n        completed access forms for\n                                        and\n        CISCOR system users.\nUSCIS   Access control weaknesses such        Ensure that            system passwords are established and                 X       Medium\n06-04   as account management, password       maintained in accordance with DHS and Federal guidance and\n        length, and a lack of review over     that warning banners are in place when users logon to the\n        audit records were identified for     system.\n        the           system.\n\n\n\n\n               Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                   18\n\x0c                                                                                         Appendix B\n\n                           Department of Homeland Security\n                       Information Technology Management Letter\n                                  September 30, 2006\n\n\n\n\n                Department of Homeland Security\n                 FY2006 Information Technology\n     Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n\n                   Immigration and Customs Enforcement\n\n\n\n\nInformation Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                         19\n\x0c                                                                                                                             Appendix B\n\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2006\n\n                                              Department of Homeland Security\n                                               FY2006 Information Technology\n                                   Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n                                            Immigration and Customs Enforcement\n\n                                                                                                                          Repeat     Risk\nNFR #                   Condition                                         Recommendation                      New Issue\n                                                                                                                           Issue    Rating\n ICE    ICE-Office of the Chief Information Officer    Continue its efforts to define, document, and follow      X                  Medium\n06-01   (OCIO) management has not defined or           a formal plan to monitor security control compliance\n        documented a formal plan to monitor            of third party providers of       services.\n        security control compliance of third party\n        providers of\n                         services.\n\n ICE    The         System Security Plan does not      \xe2\x80\xa2   Update the              System Security Plan to       X                  Medium\n06-02   include procedures for distributing,               include procedures for ensuring all        users\n        maintaining, or tracking a user\xe2\x80\x99s signed           acknowledge and accept the DHS ROB when\n        Rules of Behavior (ROB) document.                  they login to\n                                                       \xe2\x80\xa2   Develop and implement controls to ensure such\n        Additionally, not all        users have            procedures are enforced; and\n        signed the current ROB document reflecting\n                                                       \xe2\x80\xa2   Continue its efforts to append the DHS ROB to\n        DHS policies and procedures.\n                                                           the initial login screen of     .\n\n ICE    At the time our procedures were performed,     Periodically review the list of ICE users with            X                  Medium\n06-03   OCIO Management had not reviewed and           wireless access to ensure that all users with active\n        updated the list of ICE users with wireless    accounts still require wireless access.\n        access. Several wireless broadband cards\n        were issued to ICE users, but the OCIO was\n        unaware of who the users are or where they\n        are located. After communicating this issue\n        to OCIO management, subsequently\n        performed such a review and updated its list\n\n               Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                     20\n\x0c                                                                                                                                  Appendix B\n\n                                                   Department of Homeland Security\n                                               Information Technology Management Letter\n                                                          September 30, 2006\n\n                                                                                                                               Repeat      Risk\nNFR #                    Condition                                         Recommendation                          New Issue\n                                                                                                                                Issue     Rating\n        of ICE users with wireless access.\n        Furthermore, OCIO management indicated\n        that it suspended and de-activated all cards\n        not accounted for.\n\n ICE    ICE network traffic for the                     Continue efforts to implement a second firewall for           X                   High\n06-04   client/server application does not pass         the protection of ICE\xe2\x80\x99s network, and more\n        through the ICE firewall, but rather goes       specifically, its financial information.\n        directly to the ICE router at the Department\n        of Commerce (DOC) Office of Computer\n        Services (OCS) and then is handed off to\n        DOC OCS\xe2\x80\x99 network.\n ICE    Users are not locked out of           or the    Configure         and the ICE network to lock users           X                  Medium\n06-05   ICE network after 20 minutes of inactivity.     out after 20 minutes of inactivity.\n ICE    The          security audit log for the         The ICE-CIO should work with DOC-OCS to                       X                  Medium\n06-06   mainframe system housing the                    prevent the        security audit log from being\n        databases can be modified by the                modified by the         Security Administrator.\n        Security Administrator.\n\n ICE    ICE-CIO has not completed and authorized        Ensure that all users with remote access have a               X                  Medium\n06-07   remote access forms for two of the five ICE     completed and approved Remote Access Request\n        users we selected for testing.                  form on file.\n ICE    Two of the five         users we selected for   Complete and authorize user access forms for all              X                  Medium\n06-08   testing have two accounts (eg - Jsmith,               user accounts.\n        Jsmith1, same person with 2 accounts), but\n        only one access form on file.\n ICE    User profiles are not properly segregated       \xe2\x80\xa2   Clearly define and document            profiles that      X                   High\n06-09   within        . We noted the following:             must be segregated.\n        \xe2\x80\xa2 3 users can enter, approve, and make          \xe2\x80\xa2   Implement a timely and disciplined analysis (at\n             payments;                                      least 2 times per year) of user access and\n        \xe2\x80\xa2 157 users can create obligations and              segregate incompatible           user profiles\n             payments; and                                  whenever identified.\n\n               Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                      21\n\x0c                                                                                                                             Appendix B\n\n                                                   Department of Homeland Security\n                                               Information Technology Management Letter\n                                                          September 30, 2006\n\n                                                                                                                          Repeat      Risk\nNFR #                     Condition                                       Recommendation                      New Issue\n                                                                                                                           Issue     Rating\n         \xe2\x80\xa2   7 contractors have access to the Desk\n             Approving Official (AO) and Desk\n             Funding Official (FO) profiles.\n\n  ICE    User profiles have not been updated across    Continue its efforts to review and update user            X                   High\n 06-10   all instances of       for the entities in    profiles, across all       instances, to ensure that\n         which ICE, Office of Financial                user profiles are adequately segregated and users\n         Management (OFM) provides accounting          only have access to profiles they need to perform\n         services to address the principles of least   their official duties.\n         privilege and separation of duties.\n\n         According to ICE management a business\n         decision has been made to complete an\n         overall update of user profiles, across all\n                instances. The business decision is\n         to approach the full profile component, as\n         ICE has determined it is the better long\n         range solution.\n\n\n\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                     22\n\x0c                                                                                         Appendix B\n\n                           Department of Homeland Security\n                       Information Technology Management Letter\n                                  September 30, 2006\n\n\n\n                Department of Homeland Security\n                 FY2006 Information Technology\n     Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n\n                            Departmental Operations\n\n\n\n\nInformation Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                         23\n\x0c                                                                                                                            Appendix B\n\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2006\n\n                                             Department of Homeland Security\n                                              FY2006 Information Technology\n                                  Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n                                                      Departmental Operations\n\n                                                                                                                         Repeat      Risk\nNFR #                   Condition                                       Recommendation                       New Issue\n                                                                                                                          Issue     Rating\nMGT     During our testing we noted that the user     \xe2\x80\xa2   Request the ICE OCIO to remove the inactive           X                    Low\n06-01   account for an individual who separated           user account from\n        from MGT on May 24, 2006 had not been         \xe2\x80\xa2   Perform; in coordination with the ICE OCIO,\n        removed from           as of September 8,         periodic reviews of user accounts to ensure that\n        2006. Although the user account was made          all accounts are active and users require access\n        inactive in        upon the employee\xe2\x80\x99s            to       .\n        departure, the inactive account was not\n        removed from            Experienced system\n        users/hackers can access systems via\n        dormant/inactive accounts; therefore, it is\n        important to remove all inactive accounts\n        from the system.\n\n\n\n\n               Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                   24\n\x0c                                                                                         Appendix B\n\n                           Department of Homeland Security\n                       Information Technology Management Letter\n                                  September 30, 2006\n\n\n\n                Department of Homeland Security\n                 FY2006 Information Technology\n     Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n\n                        Customs and Border Protection\n\n\n\n\nInformation Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                         25\n\x0c                                                                                                                                   Appendix B\n\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2006\n\n                                                Department of Homeland Security\n                                                 FY2006 Information Technology\n                                     Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n                                                    Customs and Border Protection\n\n                                                                                                                                Repeat      Risk\nNFR #                        Condition                                        Recommendation                        New Issue\n                                                                                                                                 Issue     Rating\nCBP-IT-   Due to the design of        certain controls can    While we understand that the complete mitigation,                    X        High\n 06-01    be overridden without supervisory approval.         via system-based controls, of this issue may\n          For example, when a CBP entry specialist            require significant investment, we recommend that\n          attempts to liquidate an import entry in      ,     CBP management develop a process to mitigate\n          the system displays a warning message,              the systemic         weakness that certain controls\n          indicating that a drawback claim had been filed     can be overridden without supervisory approval.\n          against the import entry. However, entry                  Drawback functionality is just an example of\n          specialists could override the warning message      supervisory overrides in         This is prevalent\n          without supervisory review and process a refund     throughout the        environment. Considering the\n          without investigating pending drawback claims       number of years necessary to fully replace\n                                                              functionality with        this process should be\n          We noted that there have been no changes in the     designed in a manner to ensure supervisory review\n          status of the finding. CBP management agrees        of        overrides while maintaining a minimal\n          with the finding, but does not agree with the       burden on management. Also, CBP should ensure\n          recommendation to correct this issue in        .    that the new        system has the appropriate\n          Instead, CBP management plans on                    requirements for such controls and that these\n          implementing functionality in        to prevent     controls are applied prior to implementation. CBP\n          the override capability. We noted that although     management has concurred that the new\n                 will eventually replace            was not   system will be designed with this functionality\n          be implemented in FY 2006.                          built in to the system.\nCBP-IT-   \xe2\x80\xa2 CBP management has not established ISAs           \xe2\x80\xa2 Complete efforts to identify the remaining                        X       Medium\n 06-02         for legacy connections with      .                  dial-up connections that are considered\n          \xe2\x80\xa2 Additionally, the majority of financial                \xe2\x80\x9clegacy\xe2\x80\x9d connections and formally establish\n               institutions connecting with       do not           ISAs with these entities\n               have ISAs.                                     \xe2\x80\xa2 Complete efforts to identify all connections\n\n                 Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                       26\n\x0c                                                                                                                                   Appendix B\n\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2006\n\n                                                                                                                                Repeat      Risk\nNFR #                        Condition                                       Recommendation                         New Issue\n                                                                                                                                 Issue     Rating\n                                                                 with the      and formally establish ISAs\n                                                                 with these entities.\n\nCBP-IT-   CBP management has not performed a formal          Complete the certification and accreditation of\n 06-03    certification and accreditation on the      LAN         LAN components and the           LAN as a\n          as a whole. Specifically, a formal security        whole.                                                               X       Medium\n          control assessment and a formal risk assessment\n          have not been performed for components of the\n                 LAN.\n\nCBP-IT-   CBP does not maintain a centralized listing of     \xe2\x80\xa2    Develop a formal centralized process for                        X       Medium\n 06-04    separated contract personnel. The only method           tracking the termination of contract personnel.\n          CBP employs to track terminated contractors is     \xe2\x80\xa2 Deactivate all systems access of terminated\n          the use of a report of users that had their             contractors immediately upon separation from\n          mainframe account deleted. We cannot                    CBP.\n          acknowledge this list as representative of all\n                                                             \xe2\x80\xa2 Periodically distribute a listing of terminated\n          terminated contractors. This is because\n                                                                  contract personnel to information system\n          terminated contract personnel might not have\n                                                                  administrators so they remove user access and\n          mainframe access or their access was not\n                                                                  periodically assess contractor access to CBP\n          removed after their termination.\n                                                                  systems.\nCBP-IT-   \xe2\x80\xa2    CBP management has not performed a            \xe2\x80\xa2 Perform a formal review of access to the data\n 06-05         formal review of individuals with physical         center,\n                                                                                                                                  X       Medium\n               access to the data center.                    \xe2\x80\xa2 Update the data center access listing based on\n          \xe2\x80\xa2 Additionally, CBP management has not                  the review of access, and\n               established formal procedures for revoking    \xe2\x80\xa2 Formalize the procedures for granting and\n               physical access to       buildings.                removing        building access.\nCBP-IT-   CBP has not performed a separate certification     Complete the formal certification and accreditation                  X         Low\n 06-06    and accreditation for the applications remaining   of all       Administrative applications.\n          in the seven business process areas defined in\n          the Administrative Applications C&A. These\n          seven business process areas include the\n          following:\n\n                 Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                      27\n\x0c                                                                                                                                       Appendix B\n\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2006\n\n                                                                                                                                    Repeat      Risk\nNFR #                        Condition                                         Recommendation                           New Issue\n                                                                                                                                     Issue     Rating\n          \xe2\x80\xa2   Disclosure Administrative Support Systems\n          \xe2\x80\xa2   Financial Administrative Support Systems\n          \xe2\x80\xa2   Field Operations Support Systems\n          \xe2\x80\xa2   Investigation Support Systems\n          \xe2\x80\xa2   OIT Administrative Support Systems\n          \xe2\x80\xa2   Personnel Administrative Support Systems\n          \xe2\x80\xa2   Training Support Systems\nCBP-IT-        does not have an automated mechanism to         Implement an automated mechanism to detect and                         X       Medium\n 06-07    detect and deactivate users that have not logged     deactivate inactive accounts that does not require\n          on for 90 days per DHS policy.                       manual initiation.\n\nCBP-IT-   Field offices are not consistently reporting the     \xe2\x80\xa2   Communicate the directive to all the field sites                   X       Medium\n 06-08    completion of         re-certifications at their         so that the field sites are aware of the reporting\n          ports to the OFO headquarters. Email                     requirement.\n          confirmation of completion of           re-          \xe2\x80\xa2   Periodically reconcile the received completion\n          certifications were not available for Boston,            reports with the field sites to determine the\n          Baltimore, New Orleans, Miami, and Calgary               field sites that have not reported        re-\n          (Canada) field offices, and the Los Angeles field        certifications to OFO.\n          office only provided an email stating that re-\n          certification process exists, but did not confirm\n          that       re-certifications had been completed.\n          The six field offices listed above represent 10 of\n          44 ports selected for testing.\nCBP-IT-   We could not obtain the requested evidence of                                                                               X       Medium\n                                                               Field ports should maintain documented evidence\n 06-09          recertifications from CBP for any of the 44\n                                                               of       recertifications for audit purposes. CBP\n          selected field level ports to determine whether\n                                                               should ensure that field sites submitting\n                accounts with sensitive and high-risk\n                                                               completion reports are maintaining the required\n          combination of functions are reviewed for\n                                                                     recertification records.\n          appropriateness.\nCBP-IT-   Improvements are still needed in CBP\xe2\x80\x99s               \xe2\x80\xa2   Continue to roll out        Endpoint Health to                     X       Medium\n 06-10    Incident Handling and Response Capability                all CBP workstations.\n\n\n                 Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                        28\n\x0c                                                                                                                                   Appendix B\n\n                                                     Department of Homeland Security\n                                                 Information Technology Management Letter\n                                                            September 30, 2006\n\n                                                                                                                                Repeat      Risk\nNFR #                        Condition                                         Recommendation                       New Issue\n                                                                                                                                 Issue     Rating\n          which may potentially limit CBP\xe2\x80\x99s ability to         \xe2\x80\xa2   Develop procedures to respond to system flaw\n          respond to incidents in an appropriate manner.           notifications in a consistent manner.\n          Specifically, we noted the following issues:\n          \xe2\x80\xa2            Health Endpoint will not be installed\n               on all workstations for the majority of the\n               fiscal year.\n          \xe2\x80\xa2 3 of 8 selected system flaw notifications did\n               not have an associated Service Center\n               ticket.\nCBP-IT-   We noted that the process for deletion of            \xe2\x80\xa2   Determine whether the potential matches are         X                   High\n 06-11    accounts for terminated government and                   actual matches. Delete the accounts of any\n          contractor personnel may be utilizing erroneous          confirmed terminated employees.\n          data. Specifically, we noted that the files being    \xe2\x80\xa2   Continue to use the payroll feed to determine\n          sent from the Mainframe Security group to the            if a     user has terminated employment.\n                Security team to terminate       accounts\n                                                               \xe2\x80\xa2   Disable user accounts of separated employees\n          of separated employees do not display the true\n                                                                   and contractors as stated in CBP and NIST\n          status of employees. The mainframe query\n                                                                   guidance.\n          producing the separated contractor file includes\n          individuals with Mainframe accounts that have        \xe2\x80\xa2   Implement and monitor a formal employee\n          been locked after 30 days of inactivity.                 separation process that removes all systems\n          Additionally, the separated government                   accounts for terminated or separated\n          employees file is not accurate due to the fact           employees.\n          that many government employees are separated\n          and return to CBP as contractors.\n          Consequently, the        Security Group does not\n          deactivate the accounts for these instances.\nCBP-IT-   We noted that 24 out of 45 selected individuals      \xe2\x80\xa2  Continue to use the official authorization form                 X       Medium\n 06-12    did not have formally documented VPN access             for new VPN users.\n          authorization forms. Additionally, CBP has not       \xe2\x80\xa2 Formally re-certify all VPN employee\n          implemented formal procedures for VPN                   accounts on a periodic basis and document\n          recertification for the majority of FY 2006.            results.\nCBP-IT-   CBP System Security does not conduct reviews         Implement policies and procedures for monitoring        X                  Medium\n\n                 Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                        29\n\x0c                                                                                                                                   Appendix B\n\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2006\n\n                                                                                                                                Repeat      Risk\nNFR #                        Condition                                        Recommendation                        New Issue\n                                                                                                                                 Issue     Rating\n 06-13    of powerful system utilities. Specifically, the     and reviewing logs of powerful system utilities for\n          utilities                           and             suspicious activity.\n                     are not reviewed by management.\nCBP-IT-   \xe2\x80\xa2 Multiple methods of termination of                \xe2\x80\xa2   Ensure that management understands the               X                  Medium\n 06-14         mainframe accounts are used by Systems             importance of completing CF-241 forms and\n               Security personnel (i.e. electronic mail,          receiving appropriate notification from System\n               phone calls, and termination checklists).          Security for removal of access to systems.\n          \xe2\x80\xa2 We selected 45 terminated employees to            \xe2\x80\xa2   Implement and enforce a formal separation\n               determine whether termination checklists           and review process that requires the CF-241\n               had been consistently completed. Of the 45         form to be complete, including signatures\n               employees, only 30 forms were provided.            from direct supervisors, before the employee\xe2\x80\x99s\n               Of these 30 forms, we noted that 9 out of 30       final day of employment.\n               forms did not have supervisory signature,\n               which signifies completion of the form to\n               include notification sent to System Security\n               for removal of logical access to\n               applications. We noted that termination\n               checklists (CF-241) are not consistently\n               completed for separating employees\n               throughout the organization.\nCBP-IT-   Backup tapes do not have affixed external labels    Apply external labels to the backup tapes and other      X                  Medium\n 06-15    to indicate the sensitivity of the data contained   storage devices with the sensitivity level of the\n          in the tapes.                                       information contained within the object.\nCBP-IT-   CBP System Security does not have formal            Formally document, implement and monitor                 X                  Medium\n 06-16    policies and procedures in place for monitoring     policies and procedures related to the use of such\n          powerful/sensitive system utilities                 powerful/sensitive system utilities.\nCBP-IT-   \xe2\x80\xa2 Improvements still needed in CBP\xe2\x80\x99s                \xe2\x80\xa2 Coordinate with DHS in developing                                 X        High\n 06-17         technical security controls. Related to            enterprise-wide solutions for improving\n               issues reported in FY02, FY03 and FY04             network and host-based system configuration\n               findings regarding host and network based          design(s) to reduce the risks of compromise.\n               security system access deficiencies, we        \xe2\x80\xa2 Consider use of system administrator level\n               noted the following:                               security management monitoring tools to\n\n                 Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                       30\n\x0c                                                                                                                                  Appendix B\n\n                                                   Department of Homeland Security\n                                               Information Technology Management Letter\n                                                          September 30, 2006\n\n                                                                                                                               Repeat      Risk\nNFR #                       Condition                                        Recommendation                        New Issue\n                                                                                                                                Issue     Rating\n                                                                 detect and correct security deficiencies in\n          \xe2\x80\xa2   CBP has confirmed that they will not be            preventing possible intrusions\n              implementing the Passfilt.dll system control   \xe2\x80\xa2   Proceed with the implementation of\n              program to enforce strong passwords or the                            to replace the Windows NT\n              Windows NT password protection feature             domain configuration.\n              enhancement upgrade referred to as             \xe2\x80\xa2   Provide and approve more robust standards for\n                                       .                         Windows-based production servers for a\n          \xe2\x80\xa2   CBP has not made the configuration                 standard and sustainable baseline set of system\n              changes to the                                     management security controls.\n                         that was compromised in We          \xe2\x80\xa2   Consider development of a compliance level\n              FY03 intrusion tests.                              policy that provides for adherence to CBP\n          \xe2\x80\xa2   Discovered key systems\xe2\x80\x99 domains in                 password management policies set at the\n              targeting for potential unauthorized access        domain controller level where local system\n              attempts where we were able to identify            administrators and help desk staff may alter\n              major CBP network domains.                         users\xe2\x80\x99 password management policies\n          \xe2\x80\xa2   Exploited a system vulnerability that had          resulting in non-compliance situations.\n              not been corrected.                            \xe2\x80\xa2   Review and justify the level of system\n          \xe2\x80\xa2   We confirmed that the number of Domain             administrators on critical domains to ensure\n              Administrators on selected Domains has             that the level of access is based on strict\n              increased since 2005.                              adherence to least privilege principles where\n          \xe2\x80\xa2   ESM identified weak passwords, expired             the absolute minimum level necessary is\n              passwords, misconfigurations, and missing          applied.\n              patches.\n          \xe2\x80\xa2   Identified vulnerabilities on an Oracle\n              database which had critical patches missing,\n              week passwords and auditing is not\n              enabled.\nCBP-IT-   \xe2\x80\xa2   We noted the following issues related to       \xe2\x80\xa2   Continue to develop and implement the                X                   High\n 06-18        password parameters:                                               security record to bring\n                                                                 Mainframe password parameters in\n          \xe2\x80\xa2   Mainframe minimum password length is set           compliance with DHS and CBP policies.\n\n\n                 Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                      31\n\x0c                                                                                                                                  Appendix B\n\n                                                   Department of Homeland Security\n                                               Information Technology Management Letter\n                                                          September 30, 2006\n\n                                                                                                                               Repeat      Risk\nNFR #                       Condition                                        Recommendation                        New Issue\n                                                                                                                                Issue     Rating\n              to six characters                              \xe2\x80\xa2   Bring               password parameters in\n          \xe2\x80\xa2          LAN minimum password length is set          compliance with DHS and CBP policies.\n              to six characters                              \xe2\x80\xa2   Configure the    security parameter to\n          \xe2\x80\xa2 Password complexity is not set on the                enforce minimum password length of eight\n              Mainframe                                          characters.\n          \xe2\x80\xa2 Password complexity is not set on\n          \xe2\x80\xa2 Password complexity is not set on the\n              LAN\nCBP-IT-   We noted the following issues related to           \xe2\x80\xa2   Modify CBP\xe2\x80\x99s automatic session                       X                  Medium\n 06-19    automatic session disconnection:                       disconnection policy so that it is consistent\n                                                                 with DHS\xe2\x80\x99 policy or obtain a formal waiver\n          \xe2\x80\xa2   CBP\xe2\x80\x99s policy states that sessions should be        from DHS.\n              automatically disconnected after 30 minutes    \xe2\x80\xa2   Modify CBP documentation to reflect that\n              of inactivity, which is not consistent with        only the password-protected screensaver must\n              DHS\xe2\x80\x99 policy.                                       be activated after 5 minutes of inactivity.\n          \xe2\x80\xa2   CBP\xe2\x80\x99s policy states that the workstation       \xe2\x80\xa2   Modify        session disconnection settings to\n              should log off from all connections after 5        terminate sessions after 20 minutes of\n              minutes of inactivity, which is a                  inactivity.\n              documentation error. According to              \xe2\x80\xa2   Continue deployment of                      and\n              applicable guidance, all system connections        Windows 2003 in order to set up group policy\n              do not have to be terminated after 5 minutes       and enforce password-protected screensaver\n              of inactivity on the workstation.                  settings on the workstations.\n          \xe2\x80\xa2         sessions are configured to terminate\n              after 60 minutes of inactivity.\n          \xe2\x80\xa2   CBP workstations cannot enforce the\n              activation of a password-protected\n              screensaver after 5 minutes of inactivity.\n              The settings can be disabled or changed by\n              individual users.\n\nCBP-IT-       is not configured to disable user accounts     \xe2\x80\xa2   Modify         system parameters to lock users       X                  Medium\n\n\n                 Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                      32\n\x0c                                                                                                                                  Appendix B\n\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2006\n\n                                                                                                                               Repeat      Risk\nNFR #                        Condition                                        Recommendation                       New Issue\n                                                                                                                                Issue     Rating\n 06-20    after 3 consecutive failed logon attempts.              after three consecutive failed logon attempts\n                                                                  as required by the relevant policy.\n          Additionally, per observation, we noted             \xe2\x80\xa2   Modify intrusion detections parameters on all\n          LAN accounts were not locked after thr                         LAN Novell Netware contexts to allow\n          consecutive failed login attempts.                      two failed logon attempts, which will enforce\n                                                                  account lockout on the third failed logon\n                                                                  attempt.\n\nCBP-IT-   CBP does not document formal approval of            Implement and enforce formal policies and               X                   High\n 06-21    system changes for the       system. We             procedures for documenting       change\n          selected 8      regularly scheduled changes to      approvals by end users and data processing staff.\n          determine if formal approval was given and\n          documented. Per inspection of documentation,\n          we were informed that there is no formally\n          documented approval for the 8 selected changes.\n\nCBP-IT-   We noted weaknesses related to the deposit and      \xe2\x80\xa2   File the tape deposit receipts immediately          X                    Low\n06-022    withdrawal of backup tapes:                             following the transaction with the off-site\n                                                                  storage vendor.\n          \xe2\x80\xa2    Tape deposit receipts for 2 of 25 selected     \xe2\x80\xa2   Implement and monitor a process to log the\n               dates were not available.                          withdrawal of backup tapes from the off-site\n          \xe2\x80\xa2 Withdrawal of backup tapes from the off-              storage facility.\n               site storage facility is not logged.\nCBP-IT-   CBP System Security does not consistently           CBP management implement policies and                   X                  Medium\n06-023    retain audit logs of powerful mainframe system      procedures for retention of audit logs of powerful\n          utilities. Specifically, we selected 25             system utilities.\n                        reports to determine if powerful\n          mainframe system utilities are being\n          consistently logged. We determined that 5 out\n          of the 25 selected logs were missing.\nCBP-IT-   We determined that                  does not have   We recommend that CBP management implement              X                  Medium\n06-024    the ability to prevent developers from              procedures which prevent the overwrite of\n\n                 Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                       33\n\x0c                                                                                                                                   Appendix B\n\n                                                     Department of Homeland Security\n                                                 Information Technology Management Letter\n                                                            September 30, 2006\n\n                                                                                                                                Repeat      Risk\nNFR #                        Condition                                         Recommendation                       New Issue\n                                                                                                                                 Issue     Rating\n          overwriting existing code in the development          development code in the development\n          environment. The developer is able to extract         environment.\n          the code from the development environment and\n          place it into a personal folder on the user\xe2\x80\x99s\n          personal computer. If multiple users are\n          modifying a program in their own personal\n          folders they may be overwriting existing\n          changes.\nCBP-IT-   Accounts are not deactivated after 90 days of         \xe2\x80\xa2   Configure the setting within      to               X                   High\n06-025    inactivity with respect to the       system. We           automatically disable accounts that have been\n          determined through inspection of audit evidence           inactive after 90 days per DHS 4300A\n          acquired from         that the defined deactivation       Sensitive Systems Handbook v3.3.\n          period is, in fact, 180 days.                         \xe2\x80\xa2   Review current        accounts and disable\n                                                                    and/or remove accounts that have been\n                                                                    inactive for 90 or more days in\n\nCBP-IT-         LAN Security Administrators do not keep                                                                X                  Medium\n                                                                \xe2\x80\xa2   Configure the        LAN to keep audit logs\n06-026    audit logs for the prescribed period of time.\n                                                                    and track security events according to CBP\n          Audit logs are only available for, at the most,\n                                                                    and DHS policies.\n          the past three months. Logs are not maintained\n          beyond the configured space for the log file.         \xe2\x80\xa2   Review        LAN audit logs on a regular\n          We also noted that         LAN Security                   basis, according to CBP and DHS policy, to\n          Administrators do not review audit logs.                  look for potential security events.\nCBP-IT-   We noted that accounts are not deactivated after      \xe2\x80\xa2   Implement a control to automatically disable       X                  Medium\n06-027    90 days of inactivity on the       LAN. We                or remove accounts after ninety days of\n          determined that the removal of inactive                   system inactivity in the system.\n          LAN accounts is a manual process.                     \xe2\x80\xa2 Review current accounts and disable or\n                                                                    remove accounts that have been inactive for\n                                                                    ninety or more days in the system.\nCBP-IT-        ISAs are not fully documented for     .          Complete and approve all connections with              X                  Medium\n06-028    The ISA documenting the connection between            existing and new entities connecting with\n               America and CBP is currently out of date.\n\n                 Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                         34\n\x0c                                                                                                                                     Appendix B\n\n                                                     Department of Homeland Security\n                                                 Information Technology Management Letter\n                                                            September 30, 2006\n\n                                                                                                                                  Repeat      Risk\nNFR #                        Condition                                         Recommendation                         New Issue\n                                                                                                                                   Issue     Rating\n          In addition, the connection that exists between\n          Treasury and CBP is currently not officially\n          documented.\nCBP-IT-   The documentation of completed initial security      Consistently apply the requirements for initial and                  X         Low\n06-029    awareness training is not properly maintained.       refresher security awareness training for all CBP\n          We selected security awareness training              employees and contractors upon initially\n          documentation for 45 users. Per inspection of        establishing LAN/Mainframe accounts to CBP\n          documentation, and noted that 13 of 45 did not       information systems.\n          have security awareness training certificates\n          documented.\nCBP-IT-   Contractor access request forms for the              \xe2\x80\xa2   Formalize policies and procedures that all            X                   High\n 06-30    LAN could not be adequately tested. We noted             employees, either government or contractor,\n          that no list of contractors hired to work at CBP         are tracked by CBP personnel.\n          is maintained, accordingly audit procedures          \xe2\x80\xa2   Implement a method of tracking those\n          requiring a sample of contractor access request          government employees and contractors that\n          forms could not be requested.                            are currently employed at CBP.\nCBP-IT-          has excessive access to emergency             \xe2\x80\xa2   Implement a policy and procedure that all             X                  Medium\n 06-31    processing capabilities. We noted that after an          users that require emergency access must have\n          initial authorization to be added to an                  supervisory approval for each time they need\n          emergency user table in         , a user can             their emergency access activated.\n          repeatedly request that t       mergency access      \xe2\x80\xa2   Recertify the users on the emergency access\n          be reinstated, without being reauthorized.               table to determine whether these are still users\n          While emergency access in            can expire in       that may need emergency access as part of\n          no more than nine days, some users renew their           their operational duties at CBP.\n          emergency access every nine days. We noted\n          that CBP has not implemented an effective\n          method of controlling this access, as users are\n          not required to reauthorize their emergency\n          access each time it is requested.\nCBP-IT-   Access change audit logs are not reviewed in         \xe2\x80\xa2   Implement policy that requires review of              X                  Medium\n06-032                     CBP management does not                 access level change logs for     and     .\n          independently review the changes that are put            Ensure that personnel reviewing these      are\n\n                 Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                        35\n\x0c                                                                                                                               Appendix B\n\n                                                     Department of Homeland Security\n                                                 Information Technology Management Letter\n                                                            September 30, 2006\n\n                                                                                                                            Repeat      Risk\nNFR #                         Condition                                     Recommendation                      New Issue\n                                                                                                                             Issue     Rating\n          into place by the               security              independent from the personnel that can make\n          administrators.                                       changes to the access.\n                                                            \xe2\x80\xa2   Maintain documentation of the review of these\n                                                                logs and follow up on any anomalous issues\n                                                                discovered during a review.\nCBP-IT-   An administrator account on the      LAN                                                                 X                   High\n                                                            Ensure that the shared account is locked or\n 06-34    (\xe2\x80\x9cCMO NDS Administrator\xe2\x80\x9d) is shared by four\n                                                            deleted.\n          LAN administrators.\nCBP-IT-   We determined that the following documents        Ensure all documentation, outlining CBP policies,      X                   High\n06-036    have not been formally approved:                  procedures and guidelines are appropriately\n                                                            coordinated and officially approved.\n          \xe2\x80\xa2   Systems Development Life Cycle (SDLC)\n              Configuration Management Plan \xe2\x80\x93 No\n              approval\n          \xe2\x80\xa2 Configuration Management Code Migration\n              Procedures for\n                             has no authorization\n          \xe2\x80\xa2 Acquisition Planning and Selection and\n              Development Process has no authorization\n          \xe2\x80\xa2 Configuration Management Code Migration\n              Procedure for Systems, Applications, and\n              Products has no authorization\n          \xe2\x80\xa2 Production Management Team Procedures\n              \xe2\x80\x93 No approval, no change history\n          \xe2\x80\xa2 NDC Operations: Standard Operating\n              Procedures \xe2\x80\x93 No approval\nCBP-IT-   User acceptance testing for Employee Self         \xe2\x80\xa2   Ensure that user acceptance testing is             X                  Medium\n 06-37    Service Solution (ESSS)/Remedy was not                performed for all systems developed or\n          formally documented                                   acquired at CBP.\n                                                            \xe2\x80\xa2   Maintain formal documentation of user\n                                                                acceptance testing, including test plans and\n\n                 Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                     36\n\x0c                                                                                                                                     Appendix B\n\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2006\n\n                                                                                                                                  Repeat      Risk\nNFR #                        Condition                                       Recommendation                           New Issue\n                                                                                                                                   Issue     Rating\n                                                                results.\n\nCBP-IT-   We noted that one individual with        LAN      \xe2\x80\xa2   Delete         LAN administrator privileges              X                   High\n 06-38    administrator privileges did not have justified       from the individual without a documented\n          access.                                               need.\n                                                            \xe2\x80\xa2 Perform periodic review of LAN accounts\n          We noted that there are instances where               with        LAN administrator privileges to\n          locks security administrator accounts due to          determine whether it is appropriate.\n          various reasons that do not require documented\n                                                            \xe2\x80\xa2 Formally document approvals every time a\n          approvals for reinstating the user account.\n                                                                field       administrator privilege is requested\n          Additionally, we noted that instances where the\n                                                                regardless of whether it is due to new\n                security administrator is new or\n                                                                administrators, existing administrator that was\n          reinstatement of suspended/deleted accounts is\n                                                                suspended or deleted, or existing administrator\n          needed, a documented approval is required. We\n                                                                that lost their profile, but is still active in the\n          noted that due to a system limitation within\n                                                                system.\n               , management cannot produce a system-\n          generated list of field     security              \xe2\x80\xa2 Work towards identifying a solution in\n          administrators that differentiates between the        that will allow system-generated listing of\n          two cases.                                            users that required formal field\n                                                                administrator access approval documentation.\nCBP-IT-   We noted that 1 out of 3 selected batch job       Management consistently document and maintain                X                  Medium\n 06-39    schedule changes did not have documented          the OMS approvals for job schedule changes.\n          approval.\n\n\n\n\n                 Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                      37\n\x0c                                                                                         Appendix B\n\n                           Department of Homeland Security\n                       Information Technology Management Letter\n                                  September 30, 2006\n\n\n\n\n                Department of Homeland Security\n                 FY2006 Information Technology\n     Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n\n                           United States Coast Guard\n\n\n\n\nInformation Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                         38\n\x0c                                                                                                                                   Appendix B\n\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2006\n\n                                                Department of Homeland Security\n                                                 FY2006 Information Technology\n                                     Notification of Findings and Recommendations - Detail\n                                                    United States Coast Guard\n\n  Significant IT NFRs Which Contributed to the Overall DHS Material Weakness for Financial System Security\n\n                                                                                                                                           Risk\nNFR #                        Condition                                      Recommendation                    New Issue   Repeat Issue\n                                                                                                                                          Rating\nCG-IT-   The          Business Contingency and Disaster         \xe2\x80\xa2   Finalize and implement the DRBC                            X           High\n06-001   Recovery Plan is still in draft form and has not yet       and ensure that it reflects changes\n         been tested.                                               in hardware and software and\n                                                                    addresses       disaster     recovery\n                                                                    procedures for                 s key\n                                                                    financial systems.\n                                                                \xe2\x80\xa2   Identify an alternate processing site\n                                                                    and       document         associated\n                                                                    restoration procedures.\n                                                                \xe2\x80\xa2   Periodically test the DRBC and\n                                                                    evaluate the results of the testwork so\n                                                                    that the DRBC can be adjusted to\n                                                                    correct any deficiencies identified in\n                                                                    testing.\nCG-IT-   A comprehensive incident capability that includes      \xe2\x80\xa2   Develop an incident response                 X                       Medium\n06-002   designated response team members and                       capability that includes:\n         procedures for incident handling to help ensure            - Designation of response team\n         that the incident is properly handled has not been              members;\n         documented and implemented.                                - Training for team members; and\n                                                                    - Procedures for incident handling,\n                                                                         including preparation,\n                                                                         containment, eradication,\n                                                                         recovery and follow-up activities.\n\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                       39\n\x0c                                                                                                                               Appendix B\n\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2006\n\n                                                                                                                                       Risk\nNFR #                       Condition                                    Recommendation                   New Issue   Repeat Issue\n                                                                                                                                      Rating\n\n                                                             \xe2\x80\xa2   Approve and implement the incident\n                                                                 response capability at the\n\nCG-IT-   Configuration weaknesses over                       \xe2\x80\xa2   Develop and implement a                     X                       Medium\n06-003   workstations allowed users to modify sensitive          configuration checklist for the anti-\n         workstation system and security settings. During        virus server.\n         our test work, using a         network user         \xe2\x80\xa2   Perform periodic audits of the anti-\n         account provided with ordinary privileges, we           virus and workstation security\n         were able to successfully:                              settings to ensure appropriate\n                                                                 configurations are maintained.\n         \xe2\x80\xa2   Disable the desktop\xe2\x80\x99s anti-virus;\n         \xe2\x80\xa2   Change the screen saver setting to remove the\n             password-locking feature; and\n         \xe2\x80\xa2   Increase the time period for the screen saver\n             activation significantly.\n\nCG-IT-   Although backup tapes for          and the are      \xe2\x80\xa2   Develop and document                        X                       Medium\n06-004   created on a regular basis, testing proce               comprehensive backup procedures,\n         have not been documented in accordance with             which include testing the        and\n                  Instruction.                                        backup tapes on a regular\n                                                                 basis, at least annually.\n         Additionally, althou                                \xe2\x80\xa2   Enforce the tape rotation procedures\n         rotated offsite to the                                  to ensure that tape transfer logs are\n                       backups have not been included in         completed and perform a weekly\n         the tape rotation process to the    . Although          review to ensure that the logs are\n         a tape rotation schedule and ta     ation               completed in their entirety before the\n         procedures have been documented, the tape               tapes are sent to the\n         transfer logs are not being completed in their\n                                                             \xe2\x80\xa2   Include the        backup tapes in the\n         entirety to note the tape numbers and the\n                                                                 weekly offsite tape rotation to the\n         number of tapes being rotated offsite.\n                                                                        Update the tape transfer log to\n\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                    40\n\x0c                                                                                                                               Appendix B\n\n                                                   Department of Homeland Security\n                                               Information Technology Management Letter\n                                                          September 30, 2006\n\n                                                                                                                                       Risk\nNFR #                        Condition                                     Recommendation                 New Issue   Repeat Issue\n                                                                                                                                      Rating\n                                                                   include the       backup tapes that\n                                                                   will be included in the rotation.\nCG-IT-   Although a change control process has been            \xe2\x80\xa2   Approve and complete each field           X                       Medium\n06-005   established and documented for WINS, the                  related to the SCR within PVCS\n         process is not consistently followed. The                 Tracker in accordance with the\n         appropriate approvals are not consistently                documented requirements of the\n         documented within PVCS Tracker prior to                   Finance Center Staff Instruction\n         implementation. Out of a selection of 30                  5232.1C;\n         changes, 2 approvals were not documented.             \xe2\x80\xa2   Attach appropriate test plans,\n         Additionally, evidence of testing, either through         results, and approvals to the SCR\n         attached test plans and results or emails were not        forms within PVCS Tracker in\n         consistently attached to the selected SCRs within         accordance with Instruction\n         Tracker. As a result, evidence of testing for 7 out       5232.1C; and\n         of the 30 selected changes were not available.\n                                                               \xe2\x80\xa2   Document procedures for\n                                                                   controlling emergency changes to\n         Additionally, although criticality levels for\n                                                                   the         application.\n         changes have been defined, procedures for making\n         emergency changes to          have not been\n         developed.\n\nCG-IT-   \xe2\x80\xa2              emergency procedures are in place      \xe2\x80\xa2   Finalize and implement the                X                       Medium\n06-006       for the evacuation of           and its Data          emergency procedures that include\n             Center. However, no emergency re-entry                re-entry procedures into the Data\n             procedures exist within this directive.               Center.\n         \xe2\x80\xa2   No policies and procedures are in place to        \xe2\x80\xa2   Develop and implement policies\n             guide and document the emergency training             and procedures to train Data Center\n             of Data Center personnel.                             staff in emergency procedures\n         \xe2\x80\xa2   Weaknesses exist in the implementation of             pertaining, but not limited to fire,\n             least privilege regarding granting access to          water, and alarm procedures.\n             the Data Center personnel. Specifically, two          Additionally, formalize this\n             out of the fifteen personnel forms selected,          training by retaining documentation\n             granted twenty-four hour access to                    that all staff has completed the\n\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                      41\n\x0c                                                                                                                                 Appendix B\n\n                                                        Department of Homeland Security\n                                                    Information Technology Management Letter\n                                                               September 30, 2006\n\n                                                                                                                                         Risk\nNFR #                         Condition                                     Recommendation                  New Issue   Repeat Issue\n                                                                                                                                        Rating\n             individuals on the janitorial staff.                   training.\n                                                                \xe2\x80\xa2   Continue to limit entry to the Data\n                                                                    Center, especially after normal\n                                                                    business hours, to critical personnel\n                                                                    only.\n\nCG-IT-   The passwords for            are not required by       Complete planned corrective actions to                       X         Medium\n06-007   the system to be 8 characters in length or contain     replace        with the Coast Guard\n         a combination of alphabetic, numeric and/or            Direct Access HRMS 8.9\n         special characters. Due to lack of vendor              implementation, which will address\n         support, there is uncertainty to the feasibility of    vendor support and password strength.\n         implementing stronger password controls.\n\nCG-IT-   A periodic review of Direct Access access lists        \xe2\x80\xa2   Perform a periodic review of                             X         Medium\n06-008   was not conducted to ensure that users had the             accounts to ensure that users are\n         correct access privileges. Additionally, we                currently employed and have the\n         determined that an applicant could be entered              correct access to the system,\n         and hired by the same individual. The process              specifically to sensitive areas.\n         of transitioning an applicant to an employee is in     \xe2\x80\xa2   Require that the person who enters\n         an audit trail; however this audit trail is not            an applicant\xe2\x80\x99s data is not the person\n         reviewed on a regular basis.                               that hires the applicant or have an\n                                                                    independent party at        monitor\n                                                                    Direct Access audit trails on a\n                                                                    regular basis for any irregularity.\n\nCG-IT-   Access authorization requests for         ids did      \xe2\x80\xa2   Perform a periodic review of                             X         Medium\n06-009   not indicate the roles or menus necessary for the                  accounts to ensure that users\n         user to perform job functions; rather access               are employed by the USCG and\n         authorizations identified a current user with              have the appropriate access to the\n         similar privileges that could be copied to create          system, specifically to sensitive\n         the privileges for the new         id.                     areas.\n         Additionally, requests for new accounts are            \xe2\x80\xa2   Utilize the        access form,\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                       42\n\x0c                                                                                                                                 Appendix B\n\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2006\n\n                                                                                                                                         Risk\nNFR #                        Condition                                      Recommendation                  New Issue   Repeat Issue\n                                                                                                                                        Rating\n         accomplished via email, and the system                     which indicates the roles and\n         administrator did not routinely retain these               responsibilities required for an\n         emails prior to January 2006.                              individual\xe2\x80\x99s job function and a\n                                                                    supervisor\xe2\x80\x99s approval.\n\nCG-IT-   \xe2\x80\xa2   Formal documented procedures are not in            \xe2\x80\xa2   Document policies and procedures                         X         Medium\n06-010       place over syst          are changes, related to       for requesting, authorizing, testing,\n                         an                                         and approving system software\n         \xe2\x80\xa2   A testing baseline for system software                 changes, including emergency\n             changes has not been established and                   changes.\n             documented;                                        \xe2\x80\xa2   Establish a testing detail baseline\n         \xe2\x80\xa2   PSC does not formally document and                     that defines the standard\n             maintain the following for each system                 components that should be\n             software change:                                       documented for software changes,\n             - System software change request and                   and communicate and enforce this\n                 authorization of the request;                      procedure to implement testing as a\n             - Test plan documentation and test results;            component of change\n             - Approval for migration of system                     implementation.\n                 software changes into production; and          \xe2\x80\xa2   Document and maintain test plans,\n         \xe2\x80\xa2   The audit trail of system software changes is          test results, and approvals for all\n             not periodically reviewed.                             system modifications.\n                                                                \xe2\x80\xa2   Review an audit trail of system\n                                                                    software changes to identify\n                                                                    unauthorized changes.\n\nCG-IT-   Test plans and test results for        application     \xe2\x80\xa2   Document and maintain test plans           X                         High\n06-011   changes were not consistently documented and               and test results for application\n         maintained. Specifically, 28 out of 30 selected                  es, in accordance with the\n         application changes did not have test plans or test             SDLC policy\n         results documented. In addition, 11 out of 30          \xe2\x80\xa2   Obtain and document appropriate\n         changes were not approved by the business                  approvals prior to the\n         sponsor (user acceptance approval) and 4 out of 30         implementation of program\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                       43\n\x0c                                                                                                                              Appendix B\n\n                                                   Department of Homeland Security\n                                               Information Technology Management Letter\n                                                          September 30, 2006\n\n                                                                                                                                      Risk\nNFR #                        Condition                                   Recommendation                  New Issue   Repeat Issue\n                                                                                                                                     Rating\n         changes were not approved by the peer reviewers          changes, in accordance with\n         prior to migration into production, as required by       SDLC policy\n         the      Systems Development Life Cycle\nCG-IT-           passwords are not in           ce with the   \xe2\x80\xa2   Strengthen password and account           X                         High\n06-012   DHS password policy. The               ystems            configurations in accordance with\n         does not enforce the following password rules:           DHS 4300A requirements\n         \xe2\x80\xa2 passwords are to be eight characters in                including:\n             length                                                   - Require passwords to be\n         \xe2\x80\xa2 passwords are to include alphabetic,                            eight characters in length\n             numeric, and special characters                          - Require passwords to\n         \xe2\x80\xa2 passwords are not be the same as the                            include alphabetic,\n             previous eight passwords                                      numeric, and special\n                                                                           characters\n         We determined that          sessions are not                 - Require that passwords not\n         timed out following 20 minutes of inactivity and                  be the same as the previous\n         accounts are not disabled following a period of                   eight passwords\n         90 days of inactivity.                                       - Terminate sessions\n                                                                           following 20 minutes of\n         During our testing of         accounts with                       inactivity\n         special attributes, we determine                             - Delete inactive accounts\n         generic accounts have access to             and                   following 90 days of\n                          . Additionally, we determined                    inactivity\n         that the                   and                       \xe2\x80\xa2   Set         security settings to the\n         settings were not enabled. Furthermore, four             most restrictive mode.\n         accounts assigned to        personnel had both           Specifically, the following\n                     and                 , two of which                         settings should be\n         were system programmers.                                 changed:\n                                                                      - Change\n                                                                           to\n                                                                      - Enable\n                                                              \xe2\x80\xa2   Review access to sensitive\n                                                                  privileges to ensure that users\n\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                    44\n\x0c                                                                                                                           Appendix B\n\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2006\n\n                                                                                                                                   Risk\nNFR #                       Condition                                  Recommendation                 New Issue   Repeat Issue\n                                                                                                                                  Rating\n                                                               require the privilege to perform job\n                                                               functions.\n\n\nCG-IT-   Outgoing Personnel forms were not documented      Implement corrective actions to document      X                       Medium\n06-013   for two out of nine selected users. These two     and implement policies and procedures\n         individuals retained access to the                for use in managing terminations,\n         system with read only access.                     including use of the Outgoing Personnel\n                                                           form.\nCG-IT-   \xe2\x80\xa2 Excessive access privileges have been           \xe2\x80\xa2 Review the              database user       X                         High\n06-014       granted within the      database.                  listing to de       e which users\n         \xe2\x80\xa2 Password configurations for the                      have a business need to retain\n                                                                access to the\n            profiles have been configured to permit        \xe2\x80\xa2 Configure the\n            passwords to be a minimum of six                                           and\n            characters in length. Additionally, the                            profiles to be in\n            password history requirement is the only            compliance with\n            password requirement that has been                  Password Policy SOP.\n            configured for the               profile.      \xe2\x80\xa2 Establish detailed procedures for\n         \xe2\x80\xa2 Audit logging has not been enabled within            audit trail generation, review and\n            the        application or database.                 management.\n         \xe2\x80\xa2 Documented access request forms could not       \xe2\x80\xa2 Develop and implement access\n            be located for nine out of 22 new                   control procedures for the\n            users granted access to the applic                  system and database accounts.\n            Additionally, although the automated access    \xe2\x80\xa2 Develop and implement access\n            request forms for the other 13 out of 22 new        control procedures for the\n                   users granted access to the                  system and database accounts.\n            application were approved, the level of        \xe2\x80\xa2 Develop and implement access\n            access/privileges associated with the new           control procedures for the\n            user were not documented on the access              system and database acco\n            request form.\n         \xe2\x80\xa2 Individuals who are no longer employed with\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                  45\n\x0c                                                                                                                               Appendix B\n\n                                                   Department of Homeland Security\n                                               Information Technology Management Letter\n                                                          September 30, 2006\n\n                                                                                                                                       Risk\nNFR #                        Condition                                     Recommendation                 New Issue   Repeat Issue\n                                                                                                                                      Rating\n                        were found to have active\n              accounts within\n         \xe2\x80\xa2 WINS account reviews have not been\n              performed on a periodic basis.\nCG-IT-   Weaknesses were noted in regard to these              \xe2\x80\xa2   Continue with efforts to improve          X                       Medium\n06-015              personnel entrance and exit procedures         the implementation of the\n         for civilian, contractor and military personnel.          personnel entrance and exit\n         Specifically, out of fifteen entrance check-in            procedures and a more formalized\n         sheets inspected, thirteen were incomplete or did         chain of command for the\n         not exist. Additionally, out of fifteen exit check-       collection of the check-in and\n         out sheets inspected, only four were received from        check-out sheets.\n         our sample selection, and none of which were          \xe2\x80\xa2   Track and monitor the completion\n         complete.                                                 of check-in and check-out sheets.\n                                                               \xe2\x80\xa2   Ensure that personnel indicate\n                                                                   which line items on the check-\n                                                                   in/check-out sheets are not\n                                                                   applicable.\n                                                               \xe2\x80\xa2   Retain Check-out sheets for up to a\n                                                                   year after an employee\xe2\x80\x99s departure.\n\nCG-IT-   \xe2\x80\xa2   Password configurations for        have been      \xe2\x80\xa2   Configure the        application and      X                         High\n06-16        not configured to maintain the password               database to be       mpliance with\n             history for each account.                                          Password Policy SOP.\n         \xe2\x80\xa2   Users are not locked out of their                 \xe2\x80\xa2   Configure the        application and\n             accounts after three invalid logon attempts.          database to lock users out of their\n         \xe2\x80\xa2   Policies and procedures for application and           accounts after three failed login\n             database audit log management have not                attempts.\n             been documented.                                  \xe2\x80\xa2   Establish detailed procedures for\n         \xe2\x80\xa2   Documented access request forms could not             audit trail generation, review and\n             be located for three out of nine new                  management.\n             users granted access to the application.          \xe2\x80\xa2   Develop and implement access\n\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                      46\n\x0c                                                                                                                                Appendix B\n\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2006\n\n                                                                                                                                        Risk\nNFR #                       Condition                                    Recommendation                    New Issue   Repeat Issue\n                                                                                                                                       Rating\n         \xe2\x80\xa2         accounts are not immediately disabled         control procedures for the\n             upon an employee\xe2\x80\x99s termination.                     system and database accounts.\n             Specifically three civilians terminated         \xe2\x80\xa2   Develop and implement access\n             employment with                                     control procedures for the\n         \xe2\x80\xa2          has not been configured to track and         system and database accounts.\n                    vate accounts that have not been used    \xe2\x80\xa2   Configure the system to track and\n             in 90 days.                                         lock the accounts of individuals\n         \xe2\x80\xa2         account reviews have not been                 who have not logged into the\n             performed on a periodic basis and results of        system in 90 days.\n             the reviews are not maintained.                 \xe2\x80\xa2   Develop and implement access\n         \xe2\x80\xa2   An excessive number of individuals have user        control procedures for the\n             administrator capabilities within                   system and database accounts.\n                                                             \xe2\x80\xa2   Develop                wide segregation\n                                                                 of duties policy that provides\n                                                                 guidance to personnel regarding\n                                                                 incompatible duties.\nCG-IT-   \xe2\x80\xa2   Password configurations for application and     \xe2\x80\xa2   Configure the         application and        X                         High\n06-017       database have been configured to permit                          be      mpliance with\n             passwords to be a minimum of six                                 Password Policy SOP.\n             characters in length.                           \xe2\x80\xa2   Upgrade         to ensure that users\n         \xe2\x80\xa2   Users are not locked out of their                   are locke       of their accounts\n             application accounts after three invalid            after three invalid attempts.\n             logon attempts.                                 \xe2\x80\xa2   Establish detailed procedures for\n         \xe2\x80\xa2         logging has not been enabled within the       audit trail generation, review and\n                  application or database.                       management.\n         \xe2\x80\xa2   Individuals who are no longer employed          \xe2\x80\xa2   Develop and implement access\n             with            were found to have active           control procedures for the\n             accou          n                                    system and database acco\n         \xe2\x80\xa2        account reviews have not been              \xe2\x80\xa2   Develop and implement\n                  rmed on a periodic basis.                      control procedures for th\n                                                                 system and database accounts.\n\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                    47\n\x0c                                                                                                                             Appendix B\n\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2006\n\n                                                                                                                                     Risk\nNFR #                        Condition                                    Recommendation                New Issue   Repeat Issue\n                                                                                                                                    Rating\nCG-IT-   \xe2\x80\xa2   Password configurations for the application       \xe2\x80\xa2   Configure the                           X                         High\n06-018       and database have been configured to permit           application and             e in\n             passwords to be a minimum of six                      compliance wit\n             characters in length                                  Password Polic\n\n         \xe2\x80\xa2   Policies and procedures for application and       \xe2\x80\xa2   Establish detailed procedures for\n             database audit log management have not                audit trail generation, review and\n             been documented.                                      management.\n         \xe2\x80\xa2              account reviews have not been          \xe2\x80\xa2   Develop and implement a\n             performed on a periodic basis.                        control procedures for the\n                                                                   system and database acco\nCG-IT-   \xe2\x80\xa2   Manager Review of System Administration           \xe2\x80\xa2   Revise the Manager Review of                          X           High\n06-019       Monitor Procedures have been developed that           System Administration Monitor\n             guide managers in performing periodic system          Procedures to note how often\n             administration monitoring reviews. However,           managers should perform system\n             the procedures do not note the periods of             administration monitoring reviews.\n             review that are being monitored, who is           \xe2\x80\xa2   Continue enforcing\n             responsible for performing the reviews and            Instruction 5230.3 \xe2\x80\x93 Policy for\n             evidence that the manager review was                  System Level Access to\n             performed could only be obtained for March            Computer Assets.\n             2006. Additionally, although the manager          \xe2\x80\xa2   Continue enforcing\n             reviews were implemented in March 2006, for           Instruction 5230.3 \xe2\x80\x93           r\n             the first half of the fiscal year, October            System Level Access to\n             through March,            system administration       Computer Assets to ens\n             monitoring was            formed by a manager         accounts of terminated\n             or group outside of the three systems                 civilians/contractors/military\n             administrators during that time period.               personnel are revoked in a timely\n         \xe2\x80\xa2   The access request form for one out of four           manner.\n             individuals granted access to          since\n             October 1, 2005, did not cont\n             supervisor\xe2\x80\x99s approval.\n         \xe2\x80\xa2   The account of a contractor that lef\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                     48\n\x0c                                                                                                                                     Appendix B\n\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2006\n\n                                                                                                                                             Risk\nNFR #                         Condition                                      Recommendation                     New Issue   Repeat Issue\n                                                                                                                                            Rating\n             in October 2005 remained active until May\n             2006.\n\n\n\nCG-IT-   A           Security Configuration Management           Implement                ctions to                X                       Medium\n06-020   Plan does not exist that clearly delineates the roles   implement                Security\n         and responsibilities betwee                             Configuration Management Plan that\n                             , and the                 is the    includes the role and responsibilities of\n         organizatio       er contract by Coast Guard to                   and          Also, the plan should\n         manage the         and       software programs.         address both          nd       and their\n         Conseque       the System Security Plans for the        associated operating systems and\n              and       applications do not include key          databases. Subsequently, the          and\n         security control information. Specifically, the               ystem Security Plans should be\n         plans do not include information on the current                d to reflect the approved\n         security configuration management process,              information in the             Security\n         including delineation of responsibilities for all       Configuration Ma               Plan.\n         involved parties. The System Security Plans were\n         otherwise compliant with current NIST standards.\n\nCG-IT-   Coast Guard Headquarters is in the process of           \xe2\x80\xa2   Finalize the development of                   X                       Medium\n06-021   developing policy that addresses role-based                 centralized headquarter policies and\n         training requirements for individuals with                  procedures for IT role-based\n         critical IT positions. However, currently this              training for civilian personnel with\n         Training and Education Plan is still in draft form          critical IT positions.\n         and no policies and procedures exist that require       \xe2\x80\xa2   Deploy the IT role-based training\n         critical IT personnel to continue their education           of civilian personnel with critical\n         through role-based training.                                IT positions down to the CG\n                                                                     component levels for\n                                                                     implementation.\n\nCG-IT-   NOAA forgotten widows, member type 1384,                Implement corrective actions to add the           X                         Low\n\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                        49\n\x0c                                                                                                                          Appendix B\n\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2006\n\n                                                                                                                                  Risk\nNFR #                       Condition                                   Recommendation               New Issue   Repeat Issue\n                                                                                                                                 Rating\n06-022   are not designed to be excluded from the                                 to the\n         actuarial data file created annually to estimate    group in the\n         the pension liability for the Coast Guard.                    to                e\n         Forgotten widows are the survivors of retired       NOAA Forgotten Widows from the\n         personnel who died before any survivor benefit      actuarial data file.\n         program was enacted. The program is designed\n         to exclude those member types included in the\n                      group identified in the\n                            which does not contain mber\n                       All member types not in the    -\n                 group are included in the actuarial\n         liability file.\n\nCG-IT-   A security test and evaluation has not been         Complete the Certification and                           X         Medium\n06-024   conducted on the        General Support System.     Accreditation package for the\n         In addition, the final Certification and            general support system in compliance\n         Accreditation package has not been created and      with NIST Special Publication 800-37\n         an Authorization to Operate has not been            and DHS Sensitive Systems Policy\n         requested or approved for the         General       Directive 4300A, including a Security\n         Support System.                                     Assessment Report and a signed\n                                                             Authorization to Operate.\n\nCG-IT-   No documentation exists for the change control      \xe2\x80\xa2   Develop and implement a change         X                       Medium\n06-025   process, including the emergency changes process,       control process for the\n         surrounding the             application. Although       application.\n         a development server exists for the application,    \xe2\x80\xa2   Develop and implement an\n                   management indicated that the                 emergency change control process\n         application version 6.0.13 was the only version         for the            application.\n         implemented for              in 2003 and no\n         changes or updates have been made since.\n\nCG-IT-   During technical testing patch management           \xe2\x80\xa2   Implement the corrective actions                     X           High\n\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                   50\n\x0c                                                                                                                                     Appendix B\n\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2006\n\n                                                                                                                                             Risk\nNFR #                        Condition                                      Recommendation                      New Issue   Repeat Issue\n                                                                                                                                            Rating\n06-026   weaknesses were identified on hosts supporting             noted in the finding.\n         the             and          applications. Many of     \xe2\x80\xa2   Implement polices and procedures to\n         these vulnerabilities could allow a remote attacker        ensure that the software builds\n         to gain full control of the affected host and could        created by the CG software developer\n         lead to the compromise of the                              are tested to ensure that all software\n         confidentiality and integrity of             and           security configurations, such as\n                data.                                               software patches and non-compliant\n                                                                    settings, are up to date.\n                                                                \xe2\x80\xa2   Continue the process for performing\n                                                                    periodic scans of the\n                                                                    network environment, including the\n                                                                    financial processing environment, for\n                                                                    the identification of vulnerabilities, in\n                                                                    accordance with NIST SP 800-42.\n                                                                \xe2\x80\xa2   Implement corrective actions to\n                                                                    mitigate the risks associated with any\n                                                                    vulnerabilities identified during\n                                                                    periodic scans.\n\nCG-IT-   During technical testing configuration                 \xe2\x80\xa2   Implement the corrective actions                             X           High\n06-027   management weaknesses were identified on hosts             noted in the finding.\n         supporting the             and         applications.   \xe2\x80\xa2   Implement polices and procedures to\n         Specifically, servers were identified with                 ensure that the software builds\n         excessive access privileges, and password and              created by the CG software developer\n         auditing configuration weaknesses.                         are tested to ensure that all software\n                                                                    security configurations, such as\n                                                                    software patches and non-compliant\n                                                                    settings, are up to date.\n                                                                \xe2\x80\xa2   Continue performing periodic scans\n                                                                    of the           network\n                                                                    environment, including the financial\n                                                                    processing environment, for the\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                       51\n\x0c                                                                                                                                Appendix B\n\n                                                   Department of Homeland Security\n                                               Information Technology Management Letter\n                                                          September 30, 2006\n\n                                                                                                                                        Risk\nNFR #                        Condition                                    Recommendation                   New Issue   Repeat Issue\n                                                                                                                                       Rating\n                                                                  identification of vulnerabilities, in\n                                                                  accordance with NIST SP 800-42.\n                                                              \xe2\x80\xa2   Implement corrective actions to\n                                                                  mitigate the risks associated with any\n                                                                  vulnerabilities identified during\n                                                                  periodic scans.\n\nCG-IT-   \xe2\x80\xa2   Coast Guard has not completed the process        \xe2\x80\xa2   Complete the process of restoring                         X           High\n06-028       of filing the records that were recovered and        the background investigation\n             recreating of the records that were not found        records of their military and\n             during the migration of records from the             civilian personnel that were not\n             Department of Transportation to DHS.                 included during the migration of\n         \xe2\x80\xa2   Civilian background investigations and               records from the Department of\n             reinvestigations are not being consistently          Transportation to DHS.\n             performed. Specifically, three (3) out of        \xe2\x80\xa2   Perform the background\n             seven (7) newly hired civilian employees at          investigations for civilian\n                        did not have any record of a              employees in accordance with DHS\n             background investigation on file.                    directives.\n             Additionally, for the re-investigation of        \xe2\x80\xa2   Reevaluate and assign the correct\n                        employees, four (4) out of five (5)       position sensitivity levels to\n             GS employees selected did not have a                 individuals with access to DHS\n             current investigation on file.                       information systems in accordance\n         \xe2\x80\xa2   Position sensitivity level distinctions for          with DHS policy.\n             civilian personnel with access to DHS\n             information systems at              are not\n             accurately depicted. Specifically, of the\n             selection of position descriptions received,\n             nine (9) out of ten (10) had non-critical\n             position sensitivities although their job\n             functions were that of IT personnel with\n             advanced access to the DHS system.\n\n\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                     52\n\x0c                                                                                                                                Appendix B\n\n                                                   Department of Homeland Security\n                                               Information Technology Management Letter\n                                                          September 30, 2006\n\n                                                                                                                                        Risk\nNFR #                        Condition                                    Recommendation                   New Issue   Repeat Issue\n                                                                                                                                       Rating\nCG-IT-   Coast Guard has and continues to operate a           \xe2\x80\xa2   Immediately implement a single,             X                         High\n06-029   separate, informal and largely undocumented              integrated change control process\n         change development and implementation                    over Coast Guard Financial\n         process effecting Coast Guard Financial                  Systems with appropriate internal\n         Systems, outside of and conflicting with the             controls.\n         formal change control process. This informal         \xe2\x80\xa2   Immediately commence an in depth\n         script development and implementation process            examination of the Coast Guard\n         began with the implementation of          in June        Financial Systems with an external\n         of 2003.            reports that the                     independent organization trained in\n         documentation and tracking of the scripts was            financial information systems,\n         not developed until June of 2005 but is unable to        process analysis and with a\n         provide a complete population of implemented             demonstrated understanding of the\n         scripts, to include the type, purpose and intended       federal accounting environment.\n         effect on financial data. The implemented\n                                                              \xe2\x80\xa2   In conjunction with item number two\n         process is ineffective as the approval, testing\n                                                                  above, begin an in depth examination\n         and documentation procedures of the script\n                                                                  to determine and document, in detail,\n         changes are not appropriately designed and the\n                                                                  the effects of the identified root\n         current process is ineffective to control the\n                                                                  causes and implemented automated\n         intended and actual effect on financial data.\n                                                                  and manual adjustments on financial\n                                                                  data and affected financial statements\n                                                                  for prior reporting periods and make\n                                                                  appropriate restatements.\nCG-IT-   \xe2\x80\xa2   A copy of the                         Disaster   \xe2\x80\xa2   Periodically test the DRPs and                            X         Medium\n06-030       Recovery Plan has been completed. However,                 ngency Plans for the\n             the plan has not been tested.                               and          so that the plans\n         \xe2\x80\xa2   The DRP for the                                      can be adj          correct any\n                                        has been completed.       deficiencies identified in testing.\n             However, testing of the          DRP has not     \xe2\x80\xa2   Obtain a finalized and approved\n             taken place. The projected completion date is        MOU with                 nd CG-61\n             October 2006.                                        outlining their responsibilities in\n         \xe2\x80\xa2   The DRP for the General Support System has           getting the       DR site up and\n             been completed. However, testing of the              running in a timely manner.\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                     53\n\x0c                                                                                                                                 Appendix B\n\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2006\n\n                                                                                                                                         Risk\nNFR #                        Condition                                     Recommendation                   New Issue   Repeat Issue\n                                                                                                                                        Rating\n             DRP is scheduled to take place by the end of      \xe2\x80\xa2   Obtain a finalized and approved\n             the year.                                             contract with the      off-site\n         \xe2\x80\xa2   A copy of the Memorandum of Understanding             Disaster Recover       lity.\n             (MOU) between          and two other CG\n             components who the          must rely on for\n             various reasons at the off-site facility was\n             cited in the Disaster Recovery Plan\n         \xe2\x80\xa2   A finalized contract with the off-site facility\n             was cited in the Disaster Recovery Plan.\n             However, we were unable to obtain the\n             signature page for it during our audit field\n             work.\n\n\nCG-IT-   During our FY 2006 follow-up testing, we              \xe2\x80\xa2   Implement the corrective actions                          X           High\n06-031   determined that         had taken corrective action       noted in the finding.\n         on several of the previously noted vulnerabilities,   \xe2\x80\xa2   Institute a formal process for\n         however several remained. The remaining                   performing periodic scans of the\n         vulnerabilities are in the following four areas:          network environment, for the\n                                                                   identification of vulnerabilities, in\n         \xe2\x80\xa2   Account management - 2 high-risk                      accordance with the DHS IT Security\n             vulnerabilities and 4 medium-risk                     Program Handbook for MD4300A\n             vulnerabilities                                       and NIST SP 800-42.\n         \xe2\x80\xa2   Configuration management \xe2\x80\x93 2 medium-risk          \xe2\x80\xa2   Implement corrective actions to\n             vulnerabilities                                       mitigate the risks associated with any\n         \xe2\x80\xa2   Patch management \xe2\x80\x93 3 high-risk                        vulnerabilities identified during\n             vulnerabilities                                       periodic scans.\n\nCG-IT-   During our FY 2006 testing, we determined that        \xe2\x80\xa2    Implement the corrective actions                         X           High\n06-032   none of the      prior year vulnerabilities were           noted in the tables above.\n         corrected. As a result, the vulnerabilities present   \xe2\x80\xa2   Institute a formal process for\n         in FY 2006 are in the following four areas:\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                      54\n\x0c                                                                                                                               Appendix B\n\n                                                   Department of Homeland Security\n                                               Information Technology Management Letter\n                                                          September 30, 2006\n\n                                                                                                                                       Risk\nNFR #                        Condition                                   Recommendation                   New Issue   Repeat Issue\n                                                                                                                                      Rating\n                                                                 performing periodic scans of the\n         \xe2\x80\xa2   Audit management \xe2\x80\x93 2 medium risk                    network environment, for the\n             vulnerabilities                                     identification of vulnerabilities, in\n         \xe2\x80\xa2   Configuration management \xe2\x80\x93 3 high, 6                accordance with DHS IT Security\n             medium and 11 low risk vulnerabilities              Program Handbook for MD4300A\n                                                                 and NIST SP 800-42.\n         \xe2\x80\xa2   Password management \xe2\x80\x93 1 high and 5 medium\n             risk vulnerabilities                            \xe2\x80\xa2   Implement corrective actions to\n                                                                 mitigate the risks associated with any\n         \xe2\x80\xa2   Patch management- 11 high, 12 medium and\n                                                                 vulnerabilities identified during\n             12 low risk vulnerabilities\n                                                                 periodic scans\n\nCG-IT-             contracts the maintenance of their        \xe2\x80\xa2   Continue to communicate with                X                       Medium\n06-033   information systems software and hardware for           Coast Guard Headquarters in order\n         the Superdome supercomputer, which houses               to convey the importance of a\n         the four production databases including the             timely renewal of the maintenance\n         production database, to Hewlett Packard (HP)            contract.\n         through two separate service agreements. One of     \xe2\x80\xa2   Maintain a continuous service\n         the service contracts is valid until 2007 for a         contract for the hardware and\n         segment of their computer software and                  software with the current vendor by\n         hardware. However, the second portion of                anticipating delays in contract\n                     Superdome equipment is covered              renewal and submitting requests for\n         under a maintenance contract that expired on            procurement in a timely manner.\n         May 31, 2006.             has requested a renewal\n         of this contract however the request is still\n         pending and there is no other contractual\n         agreement to cover the maintenance of their\n         software and hardware during this lapse in\n         service contracts.\n\nCG-IT-   \xe2\x80\xa2             does not perform background           \xe2\x80\xa2   Implement policies and procedures                         X           High\n06-034       investigations or verify that background            to ensure compliance with the new\n             investigations have been performed for              DHS policies for the background\n\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                    55\n\x0c                                                                                                                                 Appendix B\n\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2006\n\n                                                                                                                                         Risk\nNFR #                        Condition                                      Recommendation                  New Issue   Repeat Issue\n                                                                                                                                        Rating\n             contractors working at             especially          investigations of contracting\n             those with sensitive IT positions. Specifically,       personnel.\n                       employs 150 contractors; however,        \xe2\x80\xa2   Develop risk levels for contractor\n             We were unable to obtain the status of a               positions with access to DHS\n             background investigation on any of them.               information systems in accordance\n         \xe2\x80\xa2   No risk levels for contractor personnel with           with DHS policy.\n             access to DHS information systems at\n                       exist. Contracting personnel with IT\n             job functions which require advanced access\n             to the DHS system are not categorized at a\n             higher risk level then an individual who uses\n             the system with basic privileges.\n\nCG-IT-   The Memorandum of Understanding (MOU)                  Complete planned corrective actions to         X                         Low\n06-035   developed between Coast Guard              and         finalize and obtain all approvals for the\n         Treasury Financial Management Service addresses        MOU and ISA between                and\n         the development, management, operation, and            Treasury-FMS Financial Management\n         security of a connection between systems owned         Service.\n         by both parties. The previous agreement expired in\n         April of 2006 and a current MOU between\n                   and Treasury has not been completed.\nCG-IT-   \xe2\x80\xa2 Seven developers out of 15 personnel in the          \xe2\x80\xa2   Remove analyst access to the               X                       Medium\n06-036       Business Services Section had inappropriate            development environment.\n             access to                           function       \xe2\x80\xa2   Continue to ensure that developers\n             in the Production and Development                      have limited access (select or read\n             environments allowing them to potentially              only) to the production environment.\n             circumvent the change control process at\n                        from October 1, 2005 through\n             August 10, 2006.\n         \xe2\x80\xa2 We further note that 5 out of 15 personnel in\n             the Business Services Section had\n             inappropriate access to functions containing\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                       56\n\x0c                                                                                                                             Appendix B\n\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2006\n\n                                                                                                                                     Risk\nNFR #                       Condition                                     Recommendation                New Issue   Repeat Issue\n                                                                                                                                    Rating\n             elevated privileges in the Production and\n             Development environments allowing them\n             to update production and potentially\n             circumvent the change control process at\n\n\n\n\nCG-IT-   The following password configuration weaknesses      \xe2\x80\xa2   Modify the          pplication           X                         High\n06-037   associated with the                                      password configurations to be\n               ) application:                                     compliant with DHS and Coast\n                                                                  Guard policy.\n         \xe2\x80\xa2   Passwords were not configured to require         \xe2\x80\xa2   Configure the        application to\n             password changes every 90 days from                  terminate idle sessions after a\n             October 1, 2005 to February 14, 2006.                specified period of inactivity as\n         \xe2\x80\xa2   Passwords were not configured to require             defined in DHS and Coast Guard\n             minimum length of six instead of eight.              policy.\n         \xe2\x80\xa2   Passwords were not configured to maintain a\n             history of six passwords.\n         \xe2\x80\xa2   Passwords were not configured to require a\n             combination of alphabetic, numeric, and\n             special characters.\n         \xe2\x80\xa2   Passwords were not configured to restrict\n             dictionary words including dictionary words\n             spelled backwards.\n         \xe2\x80\xa2   Passwords were not configured to restrict\n             simple pattern passwords; such as \xe2\x80\x9cqwerty\xe2\x80\x9d or\n             \xe2\x80\x9cxyz123\xe2\x80\x9d.\n         \xe2\x80\xa2   Passwords were not configured to check that\n             two identical characters in any position exist\n             from the previous password.\n\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                     57\n\x0c                                                                                                                                  Appendix B\n\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2006\n\n                                                                                                                                          Risk\nNFR #                         Condition                                     Recommendation                   New Issue   Repeat Issue\n                                                                                                                                         Rating\n         Additionally, we identified that the\n         application is configured to terminate idle sessions\n         after 30 minutes of inactivity instead of 20\n         minutes.\n\nCG-IT-   The following segregation of duties weaknesses         \xe2\x80\xa2   Monitor the         user and DBA            X                         High\n06-038   associated with the     application.                       actions as well as develop and\n                                                                    implement procedures to\n         Application Audit Trails/Monitoring                        periodically perform reviews of\n         \xe2\x80\xa2 The         application does not have the                      user actions.\n            capacity to maintain audit trails for               \xe2\x80\xa2   Develop and implement procedures\n            management review.                                      to periodically perform reviews of\n                                                                    the       DBA\xe2\x80\x99s actions.\n         Incompatible Duties                                    \xe2\x80\xa2   Perform a review of accounts with\n         \xe2\x80\xa2    There is only one individual performing all           DBA privileges to determine that\n                     DBA duties. The lone           DBA             access is granted based on the\n              actions are not reviewed for                          principle of least privilege.\n              appropriateness, including changes to data\n              and/or security profiles.\n         \xe2\x80\xa2 Users in the \xe2\x80\x9c                    \xe2\x80\x9d group have\n              privilege to insert data at the database level.\n         \xe2\x80\xa2 There are 17 accounts associated with the\n              DBA role in Oracle.\nCG-IT-   There are no documented policies and procedures        Develop policies and procedures around          X                       Medium\n06-039   on the calculation of the environmental liability      calculation of the environmental liability\n         reported on the DHS Consolidated balance sheet.        using data stored in the     application.\n         The environmental liability is adjusted quarterly\n         based on the data stored in the         application.\nCG-IT-   We identified the following account management         \xe2\x80\xa2   Develop and implement procedures            X                         High\n06-040   weaknesses associated with the SAM application.            to periodically perform reviews of\n                                                                    inactive       application accounts.\n         Inactive Accounts                                      \xe2\x80\xa2   Develop and implement procedures\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                       58\n\x0c                                                                                                                               Appendix B\n\n                                                   Department of Homeland Security\n                                               Information Technology Management Letter\n                                                          September 30, 2006\n\n                                                                                                                                       Risk\nNFR #                        Condition                                    Recommendation                  New Issue   Repeat Issue\n                                                                                                                                      Rating\n         \xe2\x80\xa2  A planned monthly review of inactive                  requiring documented authorization\n            application user accounts has not been                for access to the        application.\n            implemented.                                      \xe2\x80\xa2   Develop and implement procedures\n         \xe2\x80\xa2 There are 315 active accounts that have not            to periodically perform reviews of\n            logged into the        application for 90 days.              application accounts.\n         Access Authorizations                                \xe2\x80\xa2   Develop and implement procedures\n         \xe2\x80\xa2 Access authorization documentation was not             to periodically perform reviews of\n            made available for 17 out of 60 selected new          failed logon attempts to the\n                   application users.                             application.\n         Logical/Physical Access Reviews                      \xe2\x80\xa2   Develop and implement centralized\n         \xe2\x80\xa2 The          application accounts are not              process for tracking terminations of\n            recertified annually to validate that the             all Coast Guard personnel, including\n            accounts belong to appropriate personnel.             military, civilian, and contractor\n         \xe2\x80\xa2 Management is not reviewing failed logon               personnel, and implement a process\n            attempts to the        application.                   to ensure that access to        is\n         Termination Procedures                                   removed for all terminated personnel\n                                                                  in a timely manner.\n         \xe2\x80\xa2 Five separated civilian personnel had active\n            accounts in the        application.\n         \xe2\x80\xa2 Nine separated military personnel had active\n            accounts in the        application.\n         \xe2\x80\xa2 Coast Guard does not maintain a centralized\n            listing of separated contractors.\n\nCG-IT-   System change request to modify transaction          The system change request to                                 X         Medium\n06-041   code         o automatically reestablish the         automatically reestablish the funds as\n         funds as obligated was implemented in March          obligated when transaction code\n         2006 within the      3.2 build. Currently, the       is used was implemented in March\n         automated process appeared to be operating           2006 and therefore has no further\n         effectively. However, from October 2005              recommendations to provide.\n         through March 2006, no mitigating controls\n         such as procedures for training of staff and/or      For recommendations for all other\n\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                     59\n\x0c                                                                                                                             Appendix B\n\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2006\n\n                                                                                                                                     Risk\nNFR #                        Condition                                   Recommendation                 New Issue   Repeat Issue\n                                                                                                                                    Rating\n         manual reviews were established to determine        transaction codes, refer to NFR CG IT-\n         whether or not the re-obligation should be          06-029.\n         established to the associated UDO balance.\n\n         Additionally,            management indicated\n         that transaction code      should not be\n         automatically reestablishing the funds in the\n         system. However, as we could not perform a\n         complete analysis of the        posting logic in\n         FY 2006 as noted in NFR CG IT-06-029,\n         transaction code       as well as other codes,\n         may still contain errors as of September 30,\n         2006.\n\nCG-IT-             had not developed formal change           Complete planned corrective actions to        X                       Medium\n06-042   control procedures documenting the                  document policies and procedures for\n         requirements for altering the criteria used in      requesting, authorizing, testing, and\n                     to match transactions. Functional       approving functional changes to\n         changes are required when initially establishing\n         a matching process or when the accounting\n         operations team identifies that transactions that\n         should be matching are not correctly matching\n         in the system.\n\nCG-IT-   Policies and procedures surrou        he change     \xe2\x80\xa2   Develop and implement additional          X                       Medium\n06-043   control process for Coast Guard        needs            change control policies and\n         improvement. Specifically, no policies and              procedures to include the testing of\n         procedures exist for:                                   changes in a pre-production\n         \xe2\x80\xa2 the testing/verification the functionality of         instance and obtain final approvals\n             the change in pre-production before the             from           management on all\n             change is implemented in production                 changes before implementation in\n         \xe2\x80\xa2 the final approval of the change by                   production.\n\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                    60\n\x0c                                                                                                                              Appendix B\n\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2006\n\n                                                                                                                                      Risk\nNFR #                        Condition                                   Recommendation                  New Issue   Repeat Issue\n                                                                                                                                     Rating\n             management                                       \xe2\x80\xa2   Develop and implement a formalize\n                                                                  process for the retention of\n         Additionally, change control test results, as well       documentation throughout the\n         as approvals, are not consistently documented.           change control process.\n         Specifically, documentation for the two formula\n         changes requested, did not include evidence of\n         testing in a pre-production instance and the final\n         approvals of the changes when they are\n         implemented in production. Furthermore, of the\n         five remained changes selected, we were unable\n         to obtain documentation of final of final\n         approvals for each of the five sample items\n         approvals for five out of the five items.\n\nCG-IT-   Policies and procedures for the overall change       \xe2\x80\xa2   Formally document and better              X                         High\n06-044   control process surrounding        and                   define the change control and the\n         changes and emergency changes are inadequate.            emergency change control process\n         Specifically, the policies and procedures do not         for both       and        This\n         fully include guidance for the roles and                 documentation should include the\n         responsibilities           possesses in the change       different roles and responsibilities\n         control process. Additionally, they do not               that CG-           and CG\xe2\x80\x99s support\n         include detailed requirements and guidance on            contractor have in the change\n         requesting changes, initial approvals,                   control process for the\n         testing, final approvals and documentation               product suite.\n         retention requirements for changes made to the       \xe2\x80\xa2   Develop and implement policies\n         system.                                                  and procedures to specifically\n                                                                  address initial approvals of the\n                                                                  changes proposed by CG\xe2\x80\x99s support\n                                                                  contractor, including technical\n                                                                  changes, testing involved and final\n                                                                  approval of all changes to the\n                                                                  system.\n\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                    61\n\x0c                                                                                                                            Appendix B\n\n                                                   Department of Homeland Security\n                                               Information Technology Management Letter\n                                                          September 30, 2006\n\n                                                                                                                                    Risk\nNFR #                        Condition                                 Recommendation                  New Issue   Repeat Issue\n                                                                                                                                   Rating\n                                                            \xe2\x80\xa2   In the testing phases of the change\n                                                                control process, retain\n                                                                documentation about the\n                                                                discrepancies found in            s\n                                                                results versus the test plans and\n                                                                results from their support\n                                                                contractor.\n                                                            \xe2\x80\xa2   Develop and implement a formalize\n                                                                process for the retention of\n                                                                documentation throughout the\n                                                                change control process for\n                                                                and\nCG-IT-   As a result of our audit test work and supported   \xe2\x80\xa2   Continue to develop, implement                          X           High\n06-045   by all the IT NFRs issued during the current           and monitor compliance with DHS,\n         year, we determined that Coast Guard is non-           Coast Guard and Federal security\n         compliant with the following laws and                  policies and procedures in the areas\n         regulations:                                           of:\n                                                                - Access Controls\n         \xe2\x80\xa2   Federal Information Security Management            - Change Controls\n             Act of 2002 (FISMA)                                - System Software\n         \xe2\x80\xa2   Federal Financial Management Improvement           - Segregation of Duties\n             Act (FFMIA)                                        - Entity-wide Security Planning\n         \xe2\x80\xa2   Office of Management and Budget (OMB)              - Service Continuity\n             Circular A-130\n                                                            \xe2\x80\xa2   Develop and implement corrective\n                                                                action plans to remediate the NFRs\n                                                                issued during the FY 2006 audit.\n                                                                These corrective action plans\n                                                                should be developed from the\n                                                                perspective of the identified root\n                                                                cause of the weakness.\n\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                  62\n\x0c                                                                                                          Appendix B\n\n                                   Department of Homeland Security\n                               Information Technology Management Letter\n                                          September 30, 2006\n\n                                                                                                                  Risk\nNFR #            Condition                            Recommendation             New Issue       Repeat Issue\n                                                                                                                 Rating\n\n\n\n\n        Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                 63\n\x0c                                                                                         Appendix B\n\n                           Department of Homeland Security\n                       Information Technology Management Letter\n                                  September 30, 2006\n\n\n\n\n                 Department of Homeland Security\n                  FY2006 Information Technology\n      Notification of Findings and Recommendations - Detail\n\n\n                 Federal Emergency Management Agency\n\n\n\n\nInformation Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                         64\n\x0c                                                                                                                                     Appendix B\n\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2006\n\n                                                Department of Homeland Security\n                                                 FY2006 Information Technology\n                                     Notification of Findings and Recommendations - Detail\n\n                                        Federal Emergency Management Agency (FEMA)\n\n                                                                                                                                              Risk\nNFR #                     Condition                                      Recommendation                         New Issue   Repeat Issue\n                                                                                                                                             Rating\nFEMA-    During our technical testing, patch             FEMA should implement the corrective actions                            X\nIT-06-   management weaknesses were identified on        listed in the NFR for each technical control\n  01             servers. Specifically, as a result of   weakness identified.\n                                                                                                                                             High\n         missing patches, the          servers were\n         vulnerable to buffer overflow\n         vulnerabilities.\nFEMA-    During our technical testing, configuration     FEMA should implement the corrective actions                            X\nIT-06-   management weaknesses were identified on        listed in the NFR for each technical control\n  02                       and key support servers.      weakness identified.\n                                                                                                                                             High\n         Specifically, servers were identified with\n         password and auditing configuration\n         weaknesses, and version weaknesses.\nFEMA-    There are no procedures are in place to         Develop and implement procedures regarding                              X\nIT-06-   periodically review         user access lists   periodic review of access lists. The policy should\n  03     to determine if acc          l needed,          require that a master listing of all employees and\n         including the development of a master           contractors is collaboratively developed and\n         listing of all employees and contractors        maintained by FSB in order to periodically                                          High\n         developed and maintained by FSB.                determine whether logical user access to          is\n                                                         valid, consistent with job responsibilities, and\n                                                         according to the least privilege principle.\n\nFEMA-    The         production and test servers are     FEMA, upon implementation of the                                        X\nIT-06-   located in very close proximity of each         Data Center\xe2\x80\x99s \xe2\x80\x9creal-time\xe2\x80\x9d back-up facility, create\n                                                                                                                                            Medium\n  04     other, which is not conducive to effective      redundant servers at the               Data Center\n         contingency planning efforts. We note that      for the two       servers located at\n\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                       65\n\x0c                                                                                                                                      Appendix B\n\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2006\n\n                                                                                                                                               Risk\nNFR #                     Condition                                       Recommendation                         New Issue   Repeat Issue\n                                                                                                                                              Rating\n         upon the implementation of the\n                 Data Center\xe2\x80\x99s \xe2\x80\x9creal-time\xe2\x80\x9d back-up\n         facility, both th         est and production\n         servers will be redundant, alleviating the\n         current condition. However, the Denton\n         back-up facility does not currently have that\n         capability in place.\n\nFEMA-    \xe2\x80\xa2   The                  did not provide         \xe2\x80\xa2   Document the results of the                   by                    X\nIT-06-       adequate documentation of the results            providing a detailed listing for the\n  05         to the accrediting authority. The                vulnerabilities and/or corrective action for the\n                     included thorough testing of             vulnerabilities in the ATO as well as\n             managerial, operational and technical            documenting them in an individual manner in\n             controls and identified 88                       the POA&M when the system is re-certified\n             vulnerabilities; however, the                    and accredited in 2007.\n             vulnerabilities listed in the ST&E report    \xe2\x80\xa2   Document the results of the ST&Es performed\n             were only identified as one POA&M                on                                      after\n             weakness in the           POA&M                  performing technical testing, and provide\n         \xe2\x80\xa2   Of the 10 systems deemed critical for            results for the technical testing performed over\n             which the C&A process was completed,             the baseline security requirements in                                           High\n             we noted that the following four                 accordance with NIST 800-37 and IT Security\n             systems did not include any                      Program Handbook for MD4300A Sensitive\n             documentation of                results in       Systems.\n             the ATO package:                             \xe2\x80\xa2   Re-perform the C&A process for              due\n                                                              to the major changes the system has undergone\n         \xe2\x80\xa2   FEMA has completed a majority of the             using NIST 800-37 and IT Security Program\n                     migration from Microsoft                 Handbook for MD4300A Sensitive Systems.\n             Windows 2000 Professional to\n             except for a few aspects of the\n             migration dealing with Individual\n             Assistance and various regional sites.\n             We noted that these major changes to\n\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                       66\n\x0c                                                                                                                                        Appendix B\n\n                                                     Department of Homeland Security\n                                                 Information Technology Management Letter\n                                                            September 30, 2006\n\n                                                                                                                                                 Risk\nNFR #                     Condition                                         Recommendation                         New Issue   Repeat Issue\n                                                                                                                                                Rating\n              the system warrant that the\n              C&A process be re-performed.\nFEMA-    There is not formal, documented procedures        Develop and implement procedures to require                              X\nIT-06-   are in place to require updates to the            updates to         documentation as functions are\n                                                                                                                                                 Low\n  06     system documentation as             functions     added, deleted, or modified.\n         are added, deleted, or modified.\nFEMA-    \xe2\x80\xa2 FEMA did not adequately document                \xe2\x80\xa2   Perform a full test of the        Contingency                        X\nIT-06-        testing of the Contingency Plan for              Plan when th                    Data Center is\n  07                    Although a table-top test of the       prepared to be the functional alternate site for\n                      Contingency Plan was                                    As part of this contingency plan\n              completed on February 10, 2006, the              test, FEMA should include the IT components\n                      table top test did not adequately        in order to assess if they will operate as\n              test the IT components of the                    planned. Additionally, testing of the\n              system/processes.                                Contingency Plan should be performe\n         \xe2\x80\xa2 FEMA does not have an accurate                      annually.\n              Contingency Plan for              The        \xe2\x80\xa2   Update the            Contingency Plan and then                                  High\n              most recent version of the                       perform an adequate test of the plan in\n              Contingency Plan is dated July 19,               compliance with DHS 4300A and NIST 800-\n              2004. However, since that time, FEMA             34, once the           migration is complete.\n              has nearly completed its migration of\n                        from Microsoft Windows 2000\n              Professional to the         operating\n              system and is adding a Small Business\n              Administration web interface.\n\nFEMA-    The FEMA COOP has prioritized each of             Update the FEMA COOP to clearly state and                                X\nIT-06-   its 12 critical Information Technology (IT)       prioritize the listing of 12 critical IT systems that\n  08     systems according to criticality of the           would be brought back online at various alternate\n         systems; however, the FEMA COOP has               processing sites in the event of a disaster.                                        Medium\n         not been updated to take into account the\n         new listing of FEMA critical IT systems.\n         We confirmed with the Office of Cyber\n\n\n                 Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                         67\n\x0c                                                                                                                                       Appendix B\n\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2006\n\n                                                                                                                                                Risk\nNFR #                     Condition                                       Recommendation                          New Issue   Repeat Issue\n                                                                                                                                               Rating\n         Security (OCS) and ONSC that the updated\n         listing of FEMA mission critical IT systems\n         should be represented in the FEMA COOP.\nFEMA-    \xe2\x80\xa2             users are not locked out of the    \xe2\x80\xa2   Complete a review over all                                           X\n  IT-         system after three invalid logon                settings for Microsoft Windows 2000 users\n NFR-         attempts. In addition, we determined            and ensure that all                   settings\n 06-09        that upon locking a user account out of         are properly applied to those users, including\n              the system after three invalid logon            disabling the user\xe2\x80\x99s ability to change the\n              attempts at the domain level, the user          inactivity threshold of the password protected\n              account becomes unlocked and active             screensaver.\n              again after fifteen (15) minutes of         \xe2\x80\xa2   Ensure that FEMA users locked out of the\n              inactivity.                                     system at a domain level must have the system\n         \xe2\x80\xa2                        settings on machines        administrator unlock and reset passwords for                                    Medium\n              running Microsoft Windows 2000                  users, per Department of Homeland Security\n              Professional disabled the user\xe2\x80\x99s ability        (DHS) Information Technology Security\n              to disable the password protected               Program Publication, 4300A.\n              screensaver; however the\n                          settings did not disable the\n                        lity to change the inactivity\n              threshold greater than the FEMA\n              standard of fiftee            . This\n              weakness impact\nFEMA-                        settings on machines         Complete a review over all                                               X\nIT-06-   running Microsoft Windows 2000                   settings for Microsoft Windows 2000 users and\n  10     Professional prevented the user\xe2\x80\x99s ability to     ensure that all                   settings are\n         disable the password protected screensaver;      properly applied to those users, including disabling\n         however the                       settings did   the user\xe2\x80\x99s ability to change the inactivity threshold\n                                                                                                                                              Medium\n         not prevent the user\xe2\x80\x99s ability to change the     of the password protected screensaver.\n         inactivity threshold. The implementation of\n         a password protected screensaver as a\n         mitigating control for lacking a second form\n         of authentication is not sufficient if users\n\n\n                 Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                        68\n\x0c                                                                                                                                    Appendix B\n\n                                                   Department of Homeland Security\n                                               Information Technology Management Letter\n                                                          September 30, 2006\n\n                                                                                                                                             Risk\nNFR #                    Condition                                       Recommendation                          New Issue   Repeat Issue\n                                                                                                                                            Rating\n         have the ability to change the inactivity\n         threshold greater than the FEMA standard\n         of fifteen minutes. This weakness impacts\n\nFEMA-    \xe2\x80\xa2   Password configurations for the             \xe2\x80\xa2   Configure the          application to require a        X\nIT-06-       application have been configured to             password to be a minimum of eight\n  11         permit passwords to be a minimum of             characters in length to be in compliance with\n             six characters in length which is not in        DHS Information Technology Security\n             compliance with Department of                   Program Publication, 4300A Password\n             Homeland Security (DHS) Information             Policy.\n             Technology Security Program                 \xe2\x80\xa2   Ensure that          user access is only\n             Publication, 4300A.                             granted upon completion of FEMA Form\n         \xe2\x80\xa2   Access authorizations for         are not       20-24,         User Access Control Form,                                        High\n             consistently documented and                     and evidence of supervisory authorization.\n             maintained on file. We noted that               In addition, the access request forms should\n             FEMA Form 20-24, User Access                    be retained for at least one year.\n             Control Form, was not completed for\n             three (3) out of a sample of twenty-five\n             (25) new user access request forms for\n\n\nFEMA-    No policies or procedures exist to              Develop and implement procedures regarding                 X\nIT-06-   periodically review            access           periodic review of           access lists. The policy\n  12     listings to determine if access is still        should require that a master listing of all\n         required or if access levels commensurate       users is periodically reviewed to determine\n         with users\xe2\x80\x99 job responsibilities. We noted      whether logical user access to            is valid,\n         that          user access lists have not        consistent with job responsibilities, and according                                Medium\n         been reviewed to determine if access is         to the least            rinciple. Additionally, a\n         still required or if access levels              review of al           user accounts should be\n         commensurate with users\xe2\x80\x99 job                    performed at least annually.\n         responsibilities.\n\n\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                       69\n\x0c                                                                                                                                   Appendix B\n\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2006\n\n                                                                                                                                            Risk\nNFR #                    Condition                                      Recommendation                        New Issue   Repeat Issue\n                                                                                                                                           Rating\nFEMA-    Twenty-nine (29) terminated or separated       \xe2\x80\xa2   Complete a review over all existing FEMA                           X\nIT-06-   FEMA employees and contractors maintain            application users\xe2\x80\x99 access to ensure that access\n  13     active         user accounts. Additionally,        to each respective application is warranted.\n         we noted that two (2) terminated or            \xe2\x80\xa2   Per FEMA Instruction 1540.3, perform a\n         separated FEMA employees maintain active           review of authorized accounts on a semi-\n                  user accounts. The implementation         annual basis and remove terminated\n         of FEMA Instruction 1540.3 as a form of            employees\xe2\x80\x99 access to all FEMA systems.                                         High\n         access controls review is not sufficient\n         because FEMA is only performing reviews\n         over current year terminations and\n         separations, and has not performed reviews\n         over legacy users to ensure that all users\n         have valid access.\n\nFEMA-             software request forms were not       Enforce the requirement for written email approval       X\nIT-06-   consistently approved by supervisors. We       by a supervisor for all       software requests to\n  14     noted that FEMA Software Tracking Form,        comply with FEMA P            rocedures for\n         did not have supervisor approval prior to      Removal and Return of Storage Media from and to\n         receiving software for eight (8) out of a      the Library.\n         sample of fifteen (15)           software\n         request tickets, which is not in compliance                                                                                       High\n         with the FEMA Policy \xe2\x80\x93 Procedures for\n         Removal and Return of Storage Media from\n         and to the Library, as well as DHS\n         Information Technology Security Program\n         Publication, 4300A.\n\nFEMA-    \xe2\x80\xa2           s and withdrawals of         and   \xe2\x80\xa2   Develop and implement procedures to                  X\nIT-06-                backup tapes are not authorized       authorize and log the withdrawal of         and\n  15         or logged.                                              backup tapes. The policy should                                       High\n         \xe2\x80\xa2            and         backup tapes are          require that a documented backup inventory\n             not rotated to an offsite location.            for        and         is maintained, a log for\n\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                     70\n\x0c                                                                                                                                 Appendix B\n\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2006\n\n                                                                                                                                          Risk\nNFR #                     Condition                                     Recommendation                        New Issue   Repeat Issue\n                                                                                                                                         Rating\n                                                            the deposit and withdrawal of         and\n                                                                    backup tapes, and documented\n                                                            procedures for the delivery and pickup of\n                                                                   and          backup tapes.\n                                                        \xe2\x80\xa2   Upon implementation of the\n                                                                                                Data\n                                                            Center\xe2\x80\x99s \xe2\x80\x9creal-time\xe2\x80\x9d back-up facility, create\n                                                            redundant servers at the        Data Center for\n                                                            the        and          servers located at\n\n\nFEMA-    FEMA Policy - Sanitization and Release of      Ensure that FEMA Policy - Sanitization and               X\nIT-06-   Electronic Storage Media has not been          Release of Electronic Storage Media is finalized,\n  16     finalized or implemented and is currently in   and promulgated to necessary FEMA personnel.                                     Medium\n         draft form.\n\nFEMA-    No formally documented configuration           Develop and implement formal policies and                X\nIT-06-   management plan is in place for                procedures over the      configuration\n  17     FEMA has informal configuration                management process modeled after the informal\n         management procedures for                      configuration management process currently in                                     High\n         however they have not been formally            place.\n         documented.\n\nFEMA-    \xe2\x80\xa2   A documented configuration                 \xe2\x80\xa2   Finalize the formal policies and procedures          X\nIT-06-       management plan is in place for                over the          configuration management\n  18                 ; however, it is currently in          process to be in compliance with DHS\n             draft form. We noted that the plan             Information Technology Security Program\n             has multiple sections where input              Publication, 4300A.                                                           High\n             from FEMA personnel is requested           \xe2\x80\xa2   Develop and implement formal policies and\n             by the Contractor who created the              procedures for restricting access to\n             plan, however, FEMA has not                    system software, and promulgate it to all\n             responded back to these requests.              needed personnel, to be in compliance with\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                     71\n\x0c                                                                                                                                 Appendix B\n\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2006\n\n                                                                                                                                          Risk\nNFR #                     Condition                                      Recommendation                       New Issue   Repeat Issue\n                                                                                                                                         Rating\n             Additionally, the                                DHS Information Technology Security\n             configuration management plan was                Program Publication, 4300A.\n             created in 1998 and needs to be              \xe2\x80\xa2   Develop and implement formal          patch\n             updated to reflect the current                   management policies and procedures in\n             environment.                                     accordance with DHS Information Technology\n         \xe2\x80\xa2   No documented policies and                       Security Program Publication, 4300A.\n             procedures are in place for restricting\n             access to system software.\n         \xe2\x80\xa2   No documented             Patch\n             Management Policy has been\n             documented.\n\nFEMA-    No formally documented policies and              Develop and implement formal policies and              X\nIT-06-   procedures are in place for restricting access   procedures for restricting access to      system\n  19     to       system software                         software, and promulgate it to all needed\n                                                          personnel, to be in compliance with DHS                                        Medium\n                                                          Information Technology Security Program\n                                                          Publication, 4300A.\n\nFEMA-            application                              Limit the Contractors access to the                    X\nIT-06-   programmers/configuration management             production environment to \xe2\x80\x9cread only\xe2\x80\x9d and\n  20     group responsible for maintaining and            segregating the responsibility for deploying\n         developing changes for          are also         application code changes into production from the\n         responsible for migrating application code       Contractor to an independent control group.\n         changes into the production environment.                                                                                         High\n         We noted t           ntractor us\n         username,             within the\n         Unix envir           deploy app\n         code changes into the         production\n         environment.\nFEMA-    No formal investigation procedures are in        Develop and implement formal policies and              X\n                                                                                                                                         Medium\nIT-06-   place to review suspicious system                procedures to review suspicious system software\n\n\n                 Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                       72\n\x0c                                                                                                                                Appendix B\n\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2006\n\n                                                                                                                                         Risk\nNFR #                     Condition                                    Recommendation                        New Issue   Repeat Issue\n                                                                                                                                        Rating\n  21     software activities or suspicious access      and access activities for       o be in compliance\n         activities for                                with DHS Information            gy Security\n                                                       Program Publication, 4300A.\n\nFEMA-    \xe2\x80\xa2   No documented policies and                \xe2\x80\xa2   Develop and implement formal policies and            X\nIT-06-       procedures exist to monitor sensitive         procedures to monitor sensitive access and\n  22         ac           ystem software utilities         system software utilities fo         to be in\n             fo                                            compliance with DHS Information\n         \xe2\x80\xa2   No formal investigation procedures            Technology Security Program Publication,\n             are in place to review suspicious             4300A.\n             system software activities or             \xe2\x80\xa2   Develop and implement formal investigation                                   Medium\n             suspicious access activities for              policies and procedures to review suspicious\n                                                           system software and access activities for\n                                                                    to be in compliance with DHS\n                                                           Information Technology Security Program\n                                                           Publication, 4300A.\n\nFEMA-    No documented SDLC has been                   Develop, implement and establish a documented            X\nIT-06-   developed for                                 SDLC methodology for            as well as\n  23                                                   incorporating security planning throughout the life\n                                                       cycle. Furthermore, ensure that the SDLC\n                                                       methodology is promulgated to all personnel                                       High\n                                                       involved in the design, development, and\n                                                       implementation process on the SDLC\n                                                       methodology.\n\nFEMA-    No document             has been              Develop, implement and           h a documented          X\nIT-06-   developed fo                                  SDLC methodology for             as well as\n  24                                                   incorporating security planning throughout the life\n                                                                                                                                         High\n                                                       cycle. Furthermore, ensure that the SDLC\n                                                       methodology is promulgated to all personnel\n                                                       involved in the design, development, and\n\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                     73\n\x0c                                                                                                                                   Appendix B\n\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2006\n\n                                                                                                                                            Risk\nNFR #                     Condition                                       Recommendation                        New Issue   Repeat Issue\n                                                                                                                                           Rating\n                                                          implementation process on the SDLC\n                                                          methodology.\n\nFEMA-                                                     Develop and implement detailed emergency exit            X\n         Emergency exit and re-entry procedures are\nIT-06-                                                    and re-entry procedures for the            data\n         not effective for the data center housing the\n  25                                                      center housing the                      production\n                              production and test\n                                                          and test servers which accurately portrays the\n         servers. The current procedures do not\n                                                          controls around re-entry into the data center. Once\n         provide detailed information regarding the                                                                                        Medium\n                                                          these procedures have been developed they must\n         exact procedures needed to re-enter the data\n                                                          be promulgated to all            data center\n         center after leaving the facility for an\n                                                          operators as well as displayed throughout the data\n         emergency.\n                                                          center.\n\nFEMA-    Excessive access has been granted to             \xe2\x80\xa2   Ensure that the         system administrator         X\nIT-06-                  . We identified one member            privileges remain restricted to only the\n  26     of Group 0001 who does not have a real               minimum number of users necessary to\n         business need to have access to this                 achieve the principle of least privilege.\n         function. We informed the Financial              \xe2\x80\xa2   Develop procedures to perform routine\n         Services Branch (FSB) of the excessive               monitoring         ystem administrator\n                      access and noted that FSB               accounts in                                                                  Medium\n         removed the user with excessive access.\n         We noted that corrective action has been\n         taken and completed in the current fiscal\n         year; however, this issue posed a risk for a\n         majority of the fiscal year and therefore will\n         be reported as a weakness for FY 2006.\n\nFEMA-    Twenty-one (21) users in Group 0002 and          \xe2\x80\xa2   Implement a solution to limit the excessive\nIT-06-   eight (8) users in Group 0003 have the               access to the online         account mapping\n  27     ability to gain access to the account                functions and the ability to make offline                                     High\n         mapping functions and make changes to the            changes to the general ledger account tables.\n         account tables. Of the 21 users in Group             Access rights should be periodically\n\n\n                 Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                       74\n\x0c                                                                                                                                  Appendix B\n\n                                                     Department of Homeland Security\n                                                 Information Technology Management Letter\n                                                            September 30, 2006\n\n                                                                                                                                           Risk\nNFR #                     Condition                                       Recommendation                       New Issue   Repeat Issue\n                                                                                                                                          Rating\n         0002, nine (9) users do not have a real              reevaluated and limited to people who have a\n         business need to have access to this                 business need.\n         function. The 9 users that         o have        \xe2\x80\xa2   Develop procedures to perform routine\n         excessive access consist of                          monitoring over access to the online\n         developers or others with system                     account mapping functions and gene           r\n         administrative access. Additionally, of the          account tables.\n         8 users in Group 0003, six (6) users do not\n         have a real business need to have access to\n         this function.\n\n         Additionally, excessive access is designed\n         to be permitted within         to make\n         offline changes to the general ledger\n         account tables via the\n\n                                               ntified\n                           he          group that have\n         the ability to make          hanges to the\n         general ledger account tables. Of the five\n         users, four (4) users do not have a real\n         business need to have access to this\n         function.\n\nFEMA-               user access request forms were        Ensure             Enterprise System Access             X\nIT-06-   not consi              leted prior to granting   Request forms are only provided to the Department\n  28     access to              Specifically, two (2)     of Treasury for granting access upon completion of\n         out of a sample of thirteen (13) did not have    the access request form with evidence of                                         Low\n         a supervisor\xe2\x80\x99s approval.                         supervisory authorization.\n\n\nFEMA-    \xe2\x80\xa2   An applicant\xe2\x80\x99s homeowner\xe2\x80\x99s                   \xe2\x80\xa2   Ensure that applicant\xe2\x80\x99s homeowner\xe2\x80\x99s                 X\nIT-06-       insurance status is not verified prior to        insurance status is verified by developing and                              High\n  29\n\n                 Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                       75\n\x0c                                                                                                                                       Appendix B\n\n                                                     Department of Homeland Security\n                                                 Information Technology Management Letter\n                                                            September 30, 2006\n\n                                                                                                                                                Risk\nNFR #                     Condition                                        Recommendation                           New Issue   Repeat Issue\n                                                                                                                                               Rating\n             granting disaster housing assistance.             implementing procedures to establish a\n         \xe2\x80\xa2   The automated home ownership                      centralized database to verify applicant\xe2\x80\x99s\n             verification check within           failed        homeowner\xe2\x80\x99s insurance status.\n             by (a) misidentifying a renter as a           \xe2\x80\xa2   In conjunction with a contractor, develop and\n             homeowner and (b) failing to verify               implement a reliable method of obtaining\n             home ownership status for a valid                 accurate and up to date home ownership\n             homeowner.                                        information.\n\nFEMA-    \xe2\x80\xa2   Visitor logs a                ned to the      \xe2\x80\xa2   Develops policies and procedures requiring all          X\nIT-06-       LAN room at                    LAN Data           visitors to sign in and out on the visitors log\n  30         Center in                                         when entering and leaving the computer/server\n         \xe2\x80\xa2   One separated CSC personnel retained              room.\n             physical access to the Lanham facility;           Maintains visitor logs for the LAN\n             however, this individual did not have                            LAN Data Center in\n             access privileges to the LAN room.\n         \xe2\x80\xa2   Management does not periodically              \xe2\x80\xa2   Develops and implements policies to inform                                       Low\n             review physical access listings to                the physical security personnel of separated\n             determine if access is still required or if       individuals with access to NFIP facilities.\n             access levels are commensurate with           \xe2\x80\xa2   Develops and implements policies to\n             users\xe2\x80\x99 job responsibilities.                      periodically review physical access listings to\n                                                               determine if access is still required or if access\n                                                               levels are commensurate with users\xe2\x80\x99 job\n                                                               responsibilities.\n\nFEMA-    \xe2\x80\xa2   The            application does not           \xe2\x80\xa2   Implements a separate password                          X\nIT-06-       require password authentication                   authentication for the        application\n  31         separate from an initial Local Area               with password parameters that are in\n             Network (LAN) password                            compliance with DHS Information                                                 High\n             authentication to identify and                    Technology Security Program Publication,\n             authenticate user access.                         4300A.\n         \xe2\x80\xa2   No audit trails documenting user              \xe2\x80\xa2   Develops and implements policies and\n\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                         76\n\x0c                                                                                                                                      Appendix B\n\n                                                     Department of Homeland Security\n                                                 Information Technology Management Letter\n                                                            September 30, 2006\n\n                                                                                                                                               Risk\nNFR #                     Condition                                        Recommendation                          New Issue   Repeat Issue\n                                                                                                                                              Rating\n             actions or actual or attempted access are         procedures to monitor or review sensitive\n             maintained or reviewed.                           activity, such as transaction activities, changes\n         \xe2\x80\xa2   The           application does not                to security profiles, and actual or attempted\n             timeout after a period of inactivity.             access.\n         \xe2\x80\xa2   Password protected screensavers are not       \xe2\x80\xa2   Implements a session termination after the\n             operating on all NFIP desktops.                   DHS required period of inactivity.\n         \xe2\x80\xa2   Information owners do not periodically        \xe2\x80\xa2   Requires and enforces that all workstations use\n             review access authorization listings to           a password protected screensaver that is\n             determine if access is still required or if       activated after the DHS required period of\n             access levels commensurate with users\xe2\x80\x99            inactivity.\n             job responsibilities.\n         \xe2\x80\xa2            does not disable accounts after      \xe2\x80\xa2   Develops and implements policies and\n                       f inactivity, such as 90 days.          procedures regarding periodic review of\n                                                                         access lists in order to determine\n                                                               whether logical            ess is valid.\n                                                           \xe2\x80\xa2   Configures the             application to disable\n                                                               inactive accoun             rdance with DHS\n                                                               4300A.\nFEMA-    \xe2\x80\xa2   Information owners do not periodically        \xe2\x80\xa2   Develops and implements policies and                   X\nIT-06-       review access authorization listings to           procedures regarding periodic review of\n  32         determine if access is still required or if       application access lists in order to determine\n             access levels commensurate with users\xe2\x80\x99            whether logical user access is valid, consistent\n             job responsibilities.                             with job responsibilities, and in accordance\n         \xe2\x80\xa2   Does not disable accounts after a period          with the principle of least privilege.\n             of inactivity, such as 90 days.               \xe2\x80\xa2   Configures th           application to                                         High\n         \xe2\x80\xa2   Does not enforce the DHS password                 automatically disable inactive accounts in\n             requirements beyond the use of 8                  accordance with DHS 4300A.\n             characters.                                   \xe2\x80\xa2   Configures          password requirements to\n         \xe2\x80\xa2   Does not have a session timeout after             meet DHS requirements.\n             the DHS required period of inactivity.        \xe2\x80\xa2   Identifies and implements system capabilities\n         \xe2\x80\xa2   Audit trails are not reviewed in                  to terminate sessions after a period of\n\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                         77\n\x0c                                                                                                                                Appendix B\n\n                                                   Department of Homeland Security\n                                               Information Technology Management Letter\n                                                          September 30, 2006\n\n                                                                                                                                         Risk\nNFR #                    Condition                                      Recommendation                       New Issue   Repeat Issue\n                                                                                                                                        Rating\n             accordance with Production Systems             inactivity.\n             Control (PSC) and DHS policy.              \xe2\x80\xa2   Performs reviews of audit trails documenting\n                                                            user actions, including changes to security\n                                                            profiles and actual or attempted unauthorized,\n                                                            unusual, or sensitive access. Documents and\n                                                            maintains reviews and investigations of\n                                                            suspicious activity.\n\nFEMA-    Segregation of duties controls were not        \xe2\x80\xa2   Identify and document incompatible duties,          X\nIT-06-   implemented for the            General             and system roles and responsibilities within\n  33     Ledger application, such as establishing\n         user roles and groups.                         \xe2\x80\xa2   Develop and implement policies and\n                                                            procedures segregating incompatible duties\n                                                            within            to be in compliance with                                   High\n                                                            DHS Information Technology Security\n                                                            Program Publication, 4300A.\n                                                        \xe2\x80\xa2   Identify and implement capabilities within\n                                                                      that enforce segregation of\n                                                                      ible duties.\n\nFEMA-    The current program build of                   \xe2\x80\xa2   Develops and implements policies to monitor,        X\nIT-06-               Corporate Edition for the NFIP               nd install updates to\n  34                network (LAN) program build                   Corporate Edition.\n         had Security Advisory SYM06-010 issued         \xe2\x80\xa2   When implementing an update, ensures that                                   Medium\n         about it on June 6, 2006, indicating that a        patches are successfully installed on all LAN\n         security flaw had been identified allowing a       servers and workstations in a timely manner.\n         remote or local attacker to execute code on\n         an affected system.\nFEMA-    \xe2\x80\xa2             change management                \xe2\x80\xa2   Develops and implements change management           X\nIT-06-                 es are not documented.               procedures around            and formally\n                                                                                                                                        Medium\n  35     \xe2\x80\xa2 Installation of the new version of               documents approvals to changes prior to\n                       in FY 2006 was not formally          installing new versions in the production\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                     78\n\x0c                                                                                                                                Appendix B\n\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2006\n\n                                                                                                                                         Risk\nNFR #                    Condition                                    Recommendation                         New Issue   Repeat Issue\n                                                                                                                                        Rating\n             approved by users.                           environment.\n         \xe2\x80\xa2   Installation of the operating system     \xe2\x80\xa2   Develops and implements change management\n             upgrade in FY 2006 was not formally          procedures over system software changes and\n             documented or approved.                      establishes documented approvals prior to\n                                                          installing or upgrading system software.\n\nFEMA-    \xe2\x80\xa2   Five of 15 selected mainframe changes    \xe2\x80\xa2   Documents and implements change                       X\nIT-06-       did not have documented requestor\xe2\x80\x99s          management procedures requiring approvals\n  36         change approval on the Operations            prior to implementing changes in the\n             Service Request (OSR) forms.                 production environment.\n         \xe2\x80\xa2   NFIP mainframe baseline configuration    \xe2\x80\xa2   Develops and implements policies and                                          Medium\n             document has not been updated to             procedures requiring update to the mainframe\n             reflect the current environment.             baseline configuration document when there is\n                                                          a change to the environment.\n\nFEMA-    Excess access was identified to following    \xe2\x80\xa2   Implements the recommendations from the               X\nIT-06-   Transaction Record Reporting and                 table provided in the condition above, in order\n  37     Processing accounts:                             to mitigate excessive access to sensitive\n                                                          mainframe production members.\n                                                      \xe2\x80\xa2   Develops and implements procedures to\n                                                          perform a periodic review of access to                                        Medium\n                                                          mainframe production datasets to determine\n                                                          whether access is valid, consistent with job\n                                                          responsibilities, and according to the least\n                                                          privilege principle.\n\nFEMA-    There are no individual user accounts for    \xe2\x80\xa2   Creates additional                 user accounts      X\nIT-06-   LAN administrator access and that the            to allow for accountability while performing\n  38     generic                  account is shared                      duties.                                                        Medium\n         amongs                   strators.           \xe2\x80\xa2   Regularly reviews system activity logs over\n         Furthermore, the LAN has the capability to                              accounts in order to\n         maintain system activity logs; however,\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                   79\n\x0c                                                                                                                                   Appendix B\n\n                                                   Department of Homeland Security\n                                               Information Technology Management Letter\n                                                          September 30, 2006\n\n                                                                                                                                            Risk\nNFR #                     Condition                                      Recommendation                         New Issue   Repeat Issue\n                                                                                                                                           Rating\n         system administrators do not regularly              detect attempted malicious activity or other\n         review the logs.                                    security breaches.\n\nFEMA-    Access to the excel files that calculate the    Restricts access to the Loss and Loss Adjustment          X\nIT-06-   Loss and Loss Adjustment Expense appears        Expense ("LAE") Reserves Estimates excel files to\n  39     excessive. Specifically, we identified that     the Actuary and Finance Director in order to\n         modify and write access permissions to the      achieve the principle of least privilege.\n         excel files appear inappropriate for six\n                                                                                                                                           Medium\n         people of the Bureau of Finance and\n         Statistical Control group.\n\n\n\nFEMA-    No formal change control procedures are in      Develop and implement a formal change control             X\nIT-06-   place to authorize, test, verify, and approve   procedures around the Loss and Loss Adjustment\n  40     program changes made to the Loss and Loss       Expense excel files. Change procedures should at\n         Adjustment Expense Reserves excel files.        a minimum include procedures to formally                                          Medium\n                                                         authorize, test, and document changes prior to the\n                                                         change being implemented.\n\nFEMA-    \xe2\x80\xa2   Visitor logs are not maintained to the      \xe2\x80\xa2   Develops and implements policies and                  X\nIT-06-                raised floor data center in            procedures requiring all visitors to sign in and\n  41                                                         out on the visitors log when entering and\n         \xe2\x80\xa2   Two separated CSC personnel retained            leaving the computer/server room. Maintain\n             physical access to th    facility.              visitor logs for the      s raised floor data\n                                                             center in\n                                                                                                                                            Low\n                                                         \xe2\x80\xa2   Develops and implements policies to ensure\n                                                             that physical security personnel are\n                                                             consistently informed of separating\n                                                             individuals, including those terminated\n                                                             through a reduction in force.\n                                                         \xe2\x80\xa2   Ensures that separated individuals\xe2\x80\x99 physical\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                       80\n\x0c                                                                                                                                      Appendix B\n\n                                                     Department of Homeland Security\n                                                 Information Technology Management Letter\n                                                            September 30, 2006\n\n                                                                                                                                               Risk\nNFR #                     Condition                                        Recommendation                          New Issue   Repeat Issue\n                                                                                                                                              Rating\n                                                               access to the facility is being consistently and\n                                                               timely removed.\n\nFEMA-    \xe2\x80\xa2   Information owners do not periodically        \xe2\x80\xa2   Develops and implements policies and                   X\nIT-06-       review access authorization listings to           procedures regarding periodic review of\n  42         determine if access is still required or if       mainframe access lists in order to determine\n             access levels are commensurate with               whether logical user access is valid, consistent\n             users\xe2\x80\x99 job responsibilities.                      with job responsibilities, and in accordance\n         \xe2\x80\xa2   Audit trails are not reviewed in                  with the principle of least privilege.\n             accordance with DHS policy.                   \xe2\x80\xa2   Performs reviews of audit trails documenting\n         \xe2\x80\xa2   Excessive access to the                           user actions, including changes to security                                    Medium\n                                        on th                  profiles and actual or attempted unauthorized,\n                                         to 1 security         unusual, or sensitive access. Documents and\n             administrator and 31 operations                   maintains reviews and investigations of\n             personnel.                                        suspicious activity.\n                                                           \xe2\x80\xa2   Ensures access to the          dataset is limited\n                                                               to those personnel that require an elevated\n                                                               level of access in the system.\n\nFEMA-    One of the eight requested exit checklists        Perform corrective actions to improve coordination         X\nIT-06-   used to ensure that all physical and logical      efforts between the        Data Center and the CSC\n  43     access of terminated personnel is removed         Human Resources department and to ensure that\n         was not provided.                                 exit checklists are available for all                                               Low\n                                                           terminated/separated personnel.\n\n\n\n\n                 Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                         81\n\x0c                                                                                         Appendix B\n\n                           Department of Homeland Security\n                       Information Technology Management Letter\n                                  September 30, 2006\n\n\n\n\n                Department of Homeland Security\n                 FY2006 Information Technology\n     Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n\n                                    Consolidated\n\n\n\n\nInformation Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                         82\n\x0c                                                                                                                                     Appendix B\n\n                                                   Department of Homeland Security\n                                               Information Technology Management Letter\n                                                          September 30, 2006\n\n                                               Department of Homeland Security\n                                                FY2006 Information Technology\n                                    Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n                                                               Consolidated\n\n                                                                                                                               Repeat         Risk\n NFR #                          Condition                                       Recommendation                     New Issue\n                                                                                                                                Issue        Rating\nCONS-IT-   Two members of DHS OFM had excessive                     Ensure that the       privileges assigned                     X           Low\n 06-01                     access within DHS          . We          to DHS OFM and Department of\n           informed DHS OFM of the excessive                        Treasury users remain restricted to only\n           access and noted that DHS OFM removed both users         the minimum privileges necessary to\n           with excessive                   access. We noted that   achieve the principle of least privilege.\n           corrective action has been taken and completed in\n           the current fiscal year; however, this issue posed a\n           risk for a majority of the fiscal year and therefore\n           will be reported as a weakness for FY 2006.\nCONS-IT-          new user access request forms were not            Ensure that        user access is only                       X           High\n 06-02     consistently completed prior to granting access to       granted upon completion of the\n                   Specifically, one (1) out of a sample of         new user access request form w\n           eleven (11) did not have a supervisor\xe2\x80\x99s approval.        evidence of supervisory authorization and\n           Additionally, five (5) out of a sample of eleven (11)           security manager\xe2\x80\x99s review. In\n           did not have        security manager review.             addition, the access request forms should\n                                                                    be retained.\n\nCONS-IT-   OFM has not developed procedures to periodically         Develop and implement policies and                           X           High\n 06-03     review         access lists in order to determine        procedures regarding periodic review of\n           whether user access is valid, consistent with job               access lists in order to determine\n           responsibilities and in accordance with the principle    whether logical user access is valid,\n           of least privilege                                       consistent with job responsibilities, and in\n                                                                    accordance with the principle of least\n                                                                    privilege.\n\n\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                      83\n\x0c                                                                                                                                      Appendix B\n\n                                                   Department of Homeland Security\n                                               Information Technology Management Letter\n                                                          September 30, 2006\n\n                                                                                                                                Repeat         Risk\n NFR #                          Condition                                       Recommendation                      New Issue\n                                                                                                                                 Issue        Rating\nCONS-IT-   During our audit, the following configuration            \xe2\x80\xa2    Segregate the duties of the lead                          X           High\n 06-04     management weaknesses were noted                              developer of emergency and non-\n                                                                         emergency software performed\n           \xe2\x80\xa2   Segregation of duties violations exists for twelve        outside of the scheduled\n               (12) out of twenty-five (25) system changes               Quarterly Releases, ther\n               made outside of the scheduled         Quarterly           preventing the developer of a\n               Releases.                                                 software change from testing their\n           \xe2\x80\xa2   Segregation of duties violations exists for four          own work.\n               (4) out of ten (10) emergency system changes         \xe2\x80\xa2    Ensure that DHS management\n               made outside of the scheduled         Quarterly           follows the Department of\n               Releases.                                                                     , ASSC SDLC\n           \xe2\x80\xa2   Test documentation is not available for changes           Workflow and Processes Handbook,\n               implemented outside of the scheduled                      and a higher degree of management\n               Quarterly Releases.                                       oversight is utilized for the\n                                                                         development and implementation of\n                                                                         all changes over DHS\n                                                                    \xe2\x80\xa2    Maintain test plans and test results for\n                                                                         all changes implemented outside of\n                                                                         the scheduled         Quarterly\n                                                                         Releases.\n\nCONS-IT-   There are no documented procedures in place for          Document and implement procedures for                         X          Medium\n 06-05     DHS components to perform a formal review, by a          DHS components to perform a formal\n           separate approving individual, to verify the             review of            financial data, by\n           financial data to the general ledger before moving       separate approving official, to the general\n           the       file from the Holding Area into the            ledger before moving it into the\n           Repository.                                              Repository.\n\n\n\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                        84\n\x0c                                                                                                                                 Appendix B\n\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2006\n\n                                                                                                                            Repeat        Risk\n NFR #                          Condition                                      Recommendation                   New Issue\n                                                                                                                             Issue       Rating\nCONS-IT-   There are no individual user             DBA            Create an additional DBA user account to        X                      High\n 06-06     access and that the generic \xe2\x80\x9c            \xe2\x80\x9d account is   allow for accountability when migrating\n           shared amongst the two DBAs.                            approved software changes into the\n                                                                   production environment or while\n                                                                   performing other DBA duties.\n\nCONS-IT-   The DHS Office of Financial Management (OFM) is         \xe2\x80\xa2    Require all Federal and contract DHS       X                     High\n 06-07     not requiring     users to formally acknowledge                    users to acknowledge and sign\n           and sign the FARS ROB prior to being granted                 the FARS ROB prior to being\n           access to      . We noted that eighteen (18) out of a        granted access to DHS\n           sample of (20)      users had not formally              \xe2\x80\xa2    Require all existing DHS        users\n           acknowledged and signed the FARS ROB document.               to acknowledge and sign the FARS\n                                                                        ROB on a yearly basis\n\nCONS-IT-   \xe2\x80\xa2   Password configurations for the                     \xe2\x80\xa2    Configure the        application           X                    Medium\n 06-08         application have been configured to permit               password parameters to be in\n               passwords to be a minimum of six (6) characters          compliance with DHS Information\n               in length which is not in compliance with                Technology Security Program\n               Department of Homeland Security (DHS)                    Publication, 4300A.\n               Information Technology Security Program             \xe2\x80\xa2    Configure the        application to\n               Publication, 4300A, which requires passwords to          lock out user accounts that have been\n               be a minimum of eight (8) characters in length.          inactive for 90 days to be in\n           \xe2\x80\xa2          application administrators lock out               compliance with DHS Information\n               accounts if a user has not accessed the account          Technology Security Program\n               after 180 days which is not in compliance with           Publication, 4300A.\n               Department of Homeland Security (DHS)               \xe2\x80\xa2    Promulgate DHS Information\n               Information Technology Security Program                  Technology Security Program\n               Publication, 4300A, which requires                       Publication, 4300A and other DHS-\n               administrators to lock out accounts if a user has        wide information system security\n               not accessed the account after 90 days.                  publications to the Department of\n                                                                        Treasury Contractors in order to\n                                                                        educate them in DHS information\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                       85\n\x0c                                                                                                                              Appendix B\n\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2006\n\n                                                                                                                         Repeat        Risk\nNFR #                         Condition                                    Recommendation                    New Issue\n                                                                                                                          Issue       Rating\n                                                                   system security requirements and to\n                                                                   ensure they are implemented onto\n                                                                   DHS         and DHS\n\nCON-IT-   The password configurations for the                  Configure the             application            X                    Medium\n 06-09    application have been configured to not enforce      password parameters to be in compliance\n          passwords to have a combination of alphanumeric      with DHS Information Technology\n          characters and special characters which is not in    Security Program Publication, 4300A.\n          compliance with Department of Homeland Security\n          (DHS) Information Technology Security Program\n          Publication, 4300A, which requires that passwords\n          contain a combination of alphabetic, numeric, and\n          special characters.\n\nCON-IT-   Personnel with physical access to the                Ensure that the Department of Treasury           X                    Medium\n 06-10    production server, housed in the Department of       develop and implement documented\n          Treasury Data Center are not periodically reviewed   policies and procedures to periodically\n          for appropriateness of access.                       review the list of personnel with access to\n                                                               the Department of Treasury Data Center\n                                                               housing the               production\n                                                               server to be in compliance with DHS\n                                                               Information Technology Security\n                                                               Program Publication, 4300A.\n\n\n\n\n               Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                 86\n\x0c                                                                                                                                Appendix B\n\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2006\n\n                                                                                                                           Repeat        Risk\nNFR #                          Condition                                     Recommendation                    New Issue\n                                                                                                                            Issue       Rating\nCON-IT-   OFM does not maintain a termination/separated           DHS Office of the Chief Financial               X                      High\n 06-11    employee listing of OFM employees. As a result we       Officer should work with the DHS HR\n          were unable to perform a control test to determine if   department in order to obtain a current\n          terminated/separated OFM employees have access to       listing of terminated or separated DHS\n                                                                  OFM personnel and use that listing to\n                                                                  determine if any terminated or separated\n                                                                  DHS OF           onnel continue to have\n                                                                  access to        on a scheduled basis.\n\nCON-IT-   Department of Treasury media sanitization policies      The DHS Office of the Chief Financial           X                     High\n 06-12    and procedures have not been developed for          .   Officer ensure that the Department of\n          We noted that media sanitization services are           Treasury develop and implement media\n          provided by Iron Mountain through Qwest; however,       sanitization policies and procedures for\n          there are no specific media sanitization policies and          in the event that DHS would like to\n          procedures in place for the Department of Treasury      sanitize media without using the services\n          to sanitize      media.                                 of Iron Mountain.\n\nCON-IT-   Department of Treasury media sanitization policies      DHS Office of the Chief Financial               X                    Medium\n 06-14    and procedures have not been finalized or               Officer ensure that Department of\n          implemented. We noted that the Department of            Treasury     Policy  -   Memorandum:\n          Treasury policy entitled, \xe2\x80\x9cMemorandum: Destroying       Destroying and Sanitizing Media is\n          and Sanitizing Media\xe2\x80\x9d is currently in draft form.       finalized, and promulgated to necessary\n                                                                  personnel.\n\n\n\n\n               Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                    87\n\x0c                                                                                                                                 Appendix B\n\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2006\n\n                                                                                                                           Repeat         Risk\nNFR #                         Condition                                      Recommendation                    New Issue\n                                                                                                                            Issue        Rating\nCON-IT-   Discrepancies exist between the DHS Performance        \xe2\x80\xa2    Implement the recommendations                           X           Low\n 06-15    and Accountability Report (PAR) Guidance and the            from the table provided in the\n          Analytical Report                                           condition above, in order to make the\n                                                                      analytic report code, equations and\n                                                                      PAR guide consistent.\n                                                                 \xe2\x80\xa2    Develop and implement a\n                                                                      configuration management process\n                                                                      over analytic report changes to ensure\n                                                                      that changes to the report are\n                                                                      formally documented and\n                                                                      discrepancies can be more easily\n                                                                      rectified.\n\nCON-IT-   \xe2\x80\xa2    We determined that normal balance type            \xe2\x80\xa2    Implement changes to the DHS SGL                       X            Low\n 06-16        indicated on the DHS SGL for Account 4132               normal balance types of the accounts\n              and Account 7280 differ from the normal                 listed above in order to be in\n              balance type indicated on the US SGL.                   compliance with the USSGL.\n          \xe2\x80\xa2   We determined that 101 DHS SGL accounts            \xe2\x80\xa2    Review the accounts listed in the\n              were not found in the US SGL and reported a             DHS SGL and remove accounts that\n              zero balance for period 9. These accounts do not        are not applicable to DHS operations.\n              appear to be currently used by DHS and/or do       \xe2\x80\xa2    Develop a procedure to verify the\n              not appear to be related to DHS operations.             abnormal balance report logic after\n                                                                      any changes in the DHS SGL or\n                                                                      USSGL.\n\nCON-IT-   Access to waive fatal errors using the                            waive fatal errors using the          X                     Medium\n 06-17    role appears excessive for two employees per OFM                  role is limited to the Assistant\n          policy.                                                Director of Financial Reporting Branch\n                                                                 and the Assistant Director of Financial\n                                                                 Management Coordination Branch, per\n                                                                 the documented OFM policy.\n\n\n               Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                     88\n\x0c                                                                                                                             Appendix B\n\n                                               Department of Homeland Security\n                                           Information Technology Management Letter\n                                                      September 30, 2006\n\n                                                                                                                        Repeat        Risk\nNFR #                         Condition                                  Recommendation                     New Issue\n                                                                                                                         Issue       Rating\nCON-IT-   DHS is non-compliant with the Federal Information   The DHS Chief Financial Officer (CFO),                       X          High\n 06-18    Security Management Act                             in coordination with the DHS Chief\n                                                              Information Officer (CIO) and other DHS\n                                                              functional leaders, continue to ensure that\n                                                              DHS place further emphasis on the\n                                                              monitoring and enforcement of policies\n                                                              and procedures through the performance\n                                                              of periodic security control assessments\n                                                              and audits.\n\n\n\n\n               Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                89\n\x0c                                                                                         Appendix B\n\n                           Department of Homeland Security\n                       Information Technology Management Letter\n                                  September 30, 2006\n\n\n\n\n                 Department of Homeland Security\n                  FY2006 Information Technology\n      Notification of Findings and Recommendations - Detail\n\n             Federal Law Enforcement and Training Center\n\n\n\n\nInformation Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                         90\n\x0c                                                                                                                                   Appendix B\n\n                                                     Department of Homeland Security\n                                                 Information Technology Management Letter\n                                                            September 30, 2006\n\n                                                Department of Homeland Security\n                                                 FY2006 Information Technology\n                                     Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n                                           Federal Law Enforcement and Training Center\n\n                                                                                                                                            Risk\nNFR #                       Condition                                       Recommendation                      New Issue   Repeat Issue\n                                                                                                                                           Rating\nFLETC-   \xe2\x80\xa2   No documented configuration                      \xe2\x80\xa2   Develop and implement FLETC specific             X                       Medium\nIT-06-       management plan is in place for                      policies and procedures over the\n01                        , including the following:              configuration management process in\n             - Lack of documented test plan                       compliance with DHS Configuration\n                 standards and procedures;                        Management policy.\n             - Lack of a documented comprehensive             \xe2\x80\xa2   Document a listing of all users with access\n                 set of test transactions;                        to the             production environment.\n             - Test results are not maintained and a              Ensure that access is prohibited to\n                 documented approval for the test                 development staff and that an independent\n                 results does not exist; and                      group deploys software changes into the\n             - Lack of a description for the                      production environment.\n                 emergency change process.                    \xe2\x80\xa2   Document a listing of all users with access\n         \xe2\x80\xa2   We were unable to verify that an                     to the            program libraries. Ensure\n             independent control group performed the              that access is prohibited to development\n             migration of tested and approved                     staff.\n                           system software to the\n             production environment.\n         \xe2\x80\xa2   We were unable to verify that access to\n                           program libraries is restricted.\n\n\n\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                       91\n\x0c                                                                                                                                       Appendix B\n\n                                                      Department of Homeland Security\n                                                  Information Technology Management Letter\n                                                             September 30, 2006\n\n                                                                                                                                                Risk\nNFR #                        Condition                                        Recommendation                        New Issue   Repeat Issue\n                                                                                                                                               Rating\nFLETC-   \xe2\x80\xa2   No documented configuration                       \xe2\x80\xa2   Develop and implement documented                    X                       Medium\nIT-06-       management plan is in place for                       policies and procedures over the\n02                                   , including the                                      configuration\n             following:                                            management process modeled after the\n             - Lack of documented test plan                        informal configuration management process\n                  standards and procedures;                        currently in place.\n             - Lack of a documented comprehensive              \xe2\x80\xa2   Document a listing of all users with access\n                  set of test transactions;                        to the                       program\n             - Test results are not maintained and a               libraries. Ensure that access is prohibited to\n                  documented approval for the test                 development staff.\n                  results does not exist; and\n             - Lack of a description for the\n                  emergency change process.\n         \xe2\x80\xa2   We were unable to verify that access to\n                                      program libraries is\n                                      hat a listing of users\n             with access to the\n             production environment was unavailable.\n\nFLETC-   The installation of            system                 Enable audit logging over the installation of           X                       Medium\nIT-06-   software is not logged or reviewed by FLETC                       system software and ensure that logs\n03       management.                                           are maintained and periodically reviewed by\n                                                               management.\n\nFLETC-   The SDLC for                 is currently in draft    \xe2\x80\xa2   Finalize, and implement a SDLC                      X                       Medium\nIT-06-   form.                                                     methodology for               as well as\n04                                                                 incorporating security planning throughout\n                                                                   the life cycle.\n                                                               \xe2\x80\xa2   Ensure that the SDLC methodology is\n                                                                   promulgated to all personnel involved in the\n                                                                   design, development, and implementation\n                                                                   process of the SDLC methodology.\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                        92\n\x0c                                                                                                                                Appendix B\n\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2006\n\n                                                                                                                                         Risk\nNFR #                       Condition                                     Recommendation                     New Issue   Repeat Issue\n                                                                                                                                        Rating\nFLETC-   \xe2\x80\xa2                backups maintained onsite        \xe2\x80\xa2   Periodically test the             backup         X                       Medium\nIT-06-       are not periodically tested.                      compact discs maintained onsite in\n05       \xe2\x80\xa2   FLETC does not utilize external labels to         compliance with DHS Information\n             indicate the sensitivity of the information       Technology Security Program Publication\n             on the              backup compact discs          4300A.\n             (CDs).                                        \xe2\x80\xa2   Affix external labels to             backup\n                                                               CDs indicating the distribution limitations\n                                                               and handling caveats of the information in\n                                                               compliance with DHS Information\n                                                               Technology Security Program Publication\n                                                               4300A.\n\nFLETC-   The              contingency plan has not         Perform an adequate test of the                      X                       Medium\nIT-06-   been tested.                                      Contingency Plan, in compliance with DHS\n06                                                         Information Technology Security Program\n                                                           Publication 4300A. Additionally, testing of the\n                                                                       Contingency Plan should be\n                                                           performed annually.\n\nFLETC-   FLETC Manual 11041: Safeguarding                  Ensure that FLETC Manual 11041:                      X                       Medium\nIT-06-   Sensitive But Unclassified (For Official Use      Safeguarding Sensitive But Unclassified (For\n07       Only) Information is currently in draft form      Official Use Only) Information is finalized and\n         and has not been finalized or implemented.        promulgated to necessary FLETC personnel.\n\nFLETC-   We noted that incidents are not tracked from      Establish a documented incident response             X                       Medium\nIT-06-   inception to resolution in an incident response   tracking mechanism in compliance with DHS\n08       management system.                                Information Technology Security Program\n                                                           Publication 4300A.\n\n\n\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                    93\n\x0c                                                                                                                              Appendix B\n\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2006\n\n                                                                                                                                       Risk\nNFR #                      Condition                                     Recommendation                    New Issue   Repeat Issue\n                                                                                                                                      Rating\nFLETC-   We noted that there are five (5) generic/shared   \xe2\x80\xa2   Use unique DBA user accounts to allow for      X                        High\nIT-06-                         accounts shared amongst         accountability when performing DBA duties\n09       the two database administrators (DBAs).               on                      .\n                                                           \xe2\x80\xa2                        le duties over\n                                                                                    and develop and\n                                                               implement policies and procedures that\n                                                               segregate the documented incompatible\n                                                               duties.\n\nFLETC-   The following Telecom access control              \xe2\x80\xa2   Develop policies and procedures                X                       Medium\nIT-06-   weaknesses were identified:                           regarding gaining access to the FLETC\n10                                                             Telecom Room, including the use of a\n         \xe2\x80\xa2   No policies and procedures are in place to        user authorization form.\n             request access to the Telecom Room.           \xe2\x80\xa2   Perform a semi-annual review of the\n         \xe2\x80\xa2   No policies and procedures are in place to        FLETC Telecom Room access listing in\n             periodically review the list of persons           compliance with DHS Information\n             with physical access to the Telecom               Technology Security Program Publication\n             Room.                                             4300A.\n         \xe2\x80\xa2   No emergency policies and procedures          \xe2\x80\xa2   Develop and implement the emergency\n             are in place for the evacuation and re-           procedures that include exit and re-entry\n             entry of the Telecom Room.                        procedures into the Telecom Room.\n         \xe2\x80\xa2   No policies and procedures are in place to    \xe2\x80\xa2   Develop and implement policies and\n             guide and document the emergency                  procedures to train Telecom Room staff in\n             training of Telecom Room personnel.               emergency procedures pertaining, but not\n                                                               limited to fire, water, and alarm\n                                                               procedures. Additionally, formalize this\n                                                               training by retaining documentation that\n                                                               all staff has completed the training.\n\n\n\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                    94\n\x0c                                                                                                                                   Appendix B\n\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2006\n\n                                                                                                                                            Risk\nNFR #                       Condition                                      Recommendation                       New Issue   Repeat Issue\n                                                                                                                                           Rating\nFLETC-   \xe2\x80\xa2   No policies and procedures are in place        \xe2\x80\xa2   Ensure that FLETC Manual 4330: User                X                        High\nIT-06-       over access authorizations to                      Identification and Authentication\n11                                  and the general             Management is finalized, promulgated to all\n                                    g these applications.       FLETC employees and enforced.\n         \xe2\x80\xa2 No policies and procedures are in place to       \xe2\x80\xa2   Configure the\n             periodically review the list of                              appli\n                                         user accounts.         to be a minimum of eight characters in\n         \xe2\x80\xa2 No policies and procedures are in place to           length and contain a combination of\n             immediately notify                                 alphabetic, numeric, and special characters\n                                    System                      to be in compliance with DHS Information\n             administrators when users are terminated           Technology Security Program Publication,\n             or transferred.                                    4300A Password Policy.\n         \xe2\x80\xa2 Password configurations for                      \xe2\x80\xa2   Configure the                         to lock\n                                         have been              out user accounts users after three (3)\n             configured to permit passwords to be a             invalid login attempts to be in compliance\n             minimum of six characters in length with           with DHS Information Technology Security\n             no complexity requirements.                        Program Publication, 4300A.\n         \xe2\x80\xa2                          users are locked out\n             of the system after five (5) invalid logon.\nFLETC-   FLETC Directive (FD) 43220: IT System              Ensure that FLETC Directive (FD) 43220: IT             X                       Medium\nIT-06-   Security Awareness and Training is currently in    System Security Awareness and Training is\n12       draft form and has not been finalized or           finalized, and enforced by having all new and\n         implemented.                                       existing FLETC users and contractors complete\n                                                            the training by May 31 of each year.\n\nFLETC-   There are no established policies and procedures   Develop and implement FLETC specific                   X                       Medium\nIT-06-   in place for the authorization and use of mobile   policies and procedures over the authorization\n13       code technologies. Currently, FLETC uses           and use of mobile code technologies to be in\n         client side Java Applets in connection with        compliance with DHS Information Technology\n                                                            Security Program Publication 4300A.\n\n\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                     95\n\x0c                                                                                                                                   Appendix B\n\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2006\n\n                                                                                                                                            Risk\nNFR #                       Condition                                      Recommendation                       New Issue   Repeat Issue\n                                                                                                                                           Rating\nFLETC-   There are no policies and procedures in place to   Develop and implement policies and procedures          X                       Medium\nIT-06-   review              audit logs for actual or       to proactively monitor sensitive access to system\n14       attempted unauthorized or unusual access to        software utilities for            to be in\n         sensitive data.                                    compliance with DHS Information Technology\n                                                            Security Program Publication, 4300A.\n\nFLETC-   There are no documented policies and               Develop and implement policies and procedures          X                       Medium\nIT-06-   procedures in place for restricting access to      for restricting access to            system\n15                   system software.                       software, and promulgate it to all needed\n                                                            personnel, to be in compliance with DHS\n                                                            Information Technology Security Program\n                                                            Publication, 4300A.\n\nFLETC-   Incompatible duties and roles identified           \xe2\x80\xa2   Identify and document incompatible duties          X                       Medium\nIT-06-   within the             application have not            and system roles and responsibilities within\n16       been documented and no policies and                    the              pplication.\n         procedures exist to segregate incompatible         \xe2\x80\xa2   Develop and implement policies and\n         duties and roles.                                      procedures segregating incompatible duties\n                                                                within              o be in compliance with\n                                                                DHS Information Technology Security\n                                                                Program Publication, 4300A.\n\n\n\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                     96\n\x0c                                                                                                                                     Appendix B\n\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2006\n\n                                                                                                                                              Risk\nNFR #                       Condition                                        Recommendation                       New Issue   Repeat Issue\n                                                                                                                                             Rating\nFLETC-   An established sanctions process for                  \xe2\x80\xa2   Implement FLETC Manual 4900,                      X                       Medium\nIT-06-   personnel failing to comply with established              Information Technology System ROB and\n17       information security policies and procedures              Use Agreements, require all existing Federal\n         does not exist. However, we noted that                    and contract employees who use the FLETC\n         FLETC Manual 4900, Information                            LAN to acknowledge and sign the ROB.\n         Technology System Rules of Behavior (ROB)             \xe2\x80\xa2   Require all new Federal and contract\n         and Use Agreements, was finalized in August               employees who use the FLETC LAN to\n         2006 and establishes disciplinary actions they            acknowledge and sign the ROB prior to\n         could be subject to if the ROB are not                    being granted access to the FLETC LAN.\n         followed. We noted that the policy is\n         finalized but has yet to be implemented.\nFLETC-   There are no FLETC specific established               \xe2\x80\xa2   Develop and implement FLETC specific              X                       Medium\nIT-06-   policies and procedures in place for the use and          policies and procedures over the\n18       installation of                   . We noted              authorization and use of\n         that FLETC is currently using the Defense                 to be in compliance with DHS Information\n         Information                  y (DISA)                     Technology Security Program Publication,\n         Telephony &                   Guide and the               4300A, and NIST SP 800-58.\n         FLETC VoIP Security Checklist for the use and         \xe2\x80\xa2   Conduct a security inspection of the\n         installation of                   . Currently, this                                          VoIP\n         technology is used at three FLETC sites and is            installations by completing the VoIP\n         all interconnected through the FLETC Wide                 Security Checklist for each site.\n         Area Network (WAN), which has a direct\n         connection with\n\n\nFLETC-   We noted that twelve (12) out of a sample of          Perform background checks on all new and              X                        High\nIT-06-   (15) FLETC contractors did not have evidence          existing contractors ensuring that background\n19       that a background investigation was initiated or      checks and periodic re-investigations are\n         completed.                                            performed in a timely manner and that\n                                                               supporting documentation be maintained.\n\n\n\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                        97\n\x0c                                                                                                                                    Appendix B\n\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2006\n\n                                                                                                                                             Risk\nNFR #                        Condition                                     Recommendation                        New Issue   Repeat Issue\n                                                                                                                                            Rating\nFLETC-   We noted that a user of the                Fixed   \xe2\x80\xa2   Disable the user\xe2\x80\x99s ability to manually edit         X                       Medium\nIT-06-   Assets module has the ability to change the            the depreciation useful life field during the\n20       useful life field during the asset entering            asset entering process within the\n         process.                                               Fixed Assets module.\n                                                            \xe2\x80\xa2   Ensure that changes made after the asset\n                                                                entering process to the depreciation useful\n                                                                life in years undergo a documented change\n                                                                process with evidence of supervisory\n                                                                approval.\n\nFLETC-   The following                       access         \xe2\x80\xa2   Develop and implement policies and                  X                       Medium\nIT-06-   control weaknesses were identified:                    procedures to proactively monitor actual or\n21                                                              attempted unauthorized, unusual or sensitive\n         \xe2\x80\xa2   No policies and procedures are in place to         access to system software utilities for\n             review                         server level                               to be in compliance\n             system software audit logs for successful or       with DHS Information Technology Security\n             unsuccessful access attempts.                      Program Publication, 4300A.\n         \xe2\x80\xa2   No audit logs are maintained to capture        \xe2\x80\xa2   Ensure that management performs manual\n             actual or attempted unauthorized, unusual          auditing of the Oracle database tool the\n             or sensitive access within the                                            application resides on.\n                       application level.\n\n\n\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                     98\n\x0c                                                                                                                               Appendix B\n\n                                                   Department of Homeland Security\n                                               Information Technology Management Letter\n                                                          September 30, 2006\n\n                                                                                                                                        Risk\nNFR #                       Condition                                    Recommendation                     New Issue   Repeat Issue\n                                                                                                                                       Rating\nFLETC-   During technical testing, configuration           \xe2\x80\xa2   Implement the corrective actions noted in       X                        High\nIT-06-   management weaknesses were identified on              the findings.\n22       the databases supporting the                      \xe2\x80\xa2   Perform periodic scans of the FLETC\n                                applications, as well as       network environment, including the\n         supporting servers. Specifically, databases           financial processing environment, for the\n         and servers were identified with account              identification of vulnerabilities, in\n         management, auditing, database configuration          accordance with NIST SP 800-42.\n         and password management weaknesses.\n                                                           \xe2\x80\xa2   Implement corrective actions to mitigate\n                                                               the risks associated with any\n                                                               vulnerabilities identified during periodic\n                                                               scans.\n\nFLETC-   During technical testing, patch management        \xe2\x80\xa2   Implement the corrective actions noted in       X                       High\nIT-06-   weaknesses were identified on hosts and               the findings.\n23       databases supporting the                          \xe2\x80\xa2   Perform periodic scans of the FLETC\n                                applications. The fact         network environment, including the\n         that these vendor supplied patches have not           financial processing environment, for the\n         been applied in a timely manner could allow a         identification of vulnerabilities, in\n         remote attacker to gain unauthorized access           accordance with NIST SP 800-42.\n         on the host or database.\n                                                           \xe2\x80\xa2   Implement corrective actions to mitigate\n                                                               the risks associated with any\n                                                               vulnerabilities identified during periodic\n                                                               scans.\n\n\n\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                    99\n\x0c                                                                                         Appendix B\n\n                           Department of Homeland Security\n                       Information Technology Management Letter\n                                  September 30, 2006\n\n\n\n                 Department of Homeland Security\n                  FY2006 Information Technology\n      Notification of Findings and Recommendations - Detail\n\n\n           Grants and Training (G&T) \xe2\x80\x93 Under Preparedness\n\n\n\n\nInformation Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                         100\n\x0c                                                                                                                                   Appendix B\n\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2006\n\n                                              Department of Homeland Security\n                                               FY2006 Information Technology\n                                   Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n                                      Grants and Training (G&T) \xe2\x80\x93 Under Preparedness\n\n                                                                                                                                            Risk\nNFR #                      Condition                                      Recommendation                        New Issue   Repeat Issue\n                                                                                                                                           Rating\nG&T     The Plan of Action and Milestones (POA&M)          \xe2\x80\xa2   Follow OMB policy in regards to reporting           X                       Medium\n06-01   report for G&T does not identify the scheduled         and tracking all security weaknesses\n        completion date, and/or the status of corrective       identified during any reviews done by, for,\n        action taken for each IT weakness listed on the        or on behalf of the agency, in the G&T\n        POA&M report.                                          POA&M reports.\n                                                           \xe2\x80\xa2   Do not remove any POA&M weakness until\n                                                               the corrective action taken by G&T to\n                                                               mitigate the identified POA&M weakness\n                                                               has been verified. Additionally, if the\n                                                               POA&M weakness was identified by the\n                                                               OIG during an audit, then the POA&M\n                                                               weakness cannot be removed until the OIG\n                                                               has verified and validated that the corrective\n                                                               action has mitigated the weakness.\n\n\n\n\n               Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                   101\n\x0c                                                                                                                                     Appendix B\n\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2006\n\n                                                                                                                                              Risk\nNFR #                       Condition                                        Recommendation                       New Issue   Repeat Issue\n                                                                                                                                             Rating\nG&T     G&T does not have a signed waiver in place as          Revise the Interagency Agreement (i.e. MOU) to        X                        High\n06-02   part of their Interagency Agreement (i.e. MOU)         include the following:\n        to mitigate the issue of their lack of compliance\n        with NIST Special Publication (SP) 800-53              \xe2\x80\xa2   Any updates made to federal\n        \xe2\x80\x9cRecommended Security Controls for Federal                 laws/regulations the service level provider\n        Information Systems\xe2\x80\x9d security controls.                    (i.e. OJP) should ensure all General Support\n                                                                   Systems (GSS) and Major Applications\n                                                                   (MA) are in compliance. If not, then a\n                                                                   waiver should be documented by G&T to\n                                                                   mitigate the issue of non-compliance with\n                                                                   DHS laws/regulations.\n\n                                                               The revised Interagency Agreement (i.e. MOU)\n                                                               should be agreed upon and communicated\n                                                               between appropriate G&T and the Department\n                                                               of Justice (DOJ), Office of Justice Personnel\n                                                               (OJP) personnel.\nG&T     We identified that all 45 G&T users (17                Perform a review of all user accounts and             X                       High\n06-03                               , 11 Integrated            associated access levels within the\n                                                               and           applications on an appropriate,\n                  , and 17          ) recertification forms    periodic basis.\n        contained one of the following weaknesses;\n        original access level/privileges assigned were\n        not documented on the form, and the user\n        privileges were notated as deleted on the form\n        but still active on the access listing. In addition,\n        the recertification process was not performed on\n        a semi-annual basis as stipulated by the OJP\xe2\x80\x99s\n        recertification process.\n\n\n\n\n                Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                       102\n\x0c                                                                                                                                    Appendix B\n\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2006\n\n                                                                                                                                             Risk\nNFR #                      Condition                                      Recommendation                       New Issue   Repeat Issue\n                                                                                                                                            Rating\nG&T     We identified 14 out of 15 remote users, did not   Ensure procedural improvements have been               X                          High\n06-04   have an authorized remote access form on file.     made for ensuring supervisor and employee\n        Specifically, we noted that the forms were         signatures are obtained for all remote access\n        missing signatures from the employee and           requests.\n        his/her supervisor.\nG&T     We identified 1 out of 6 terminated employees      Ensure procedural improvements have been               X                        Medium\n06-05   who had a missing requestor signature on their     made for ensuring supervisor and employee\n        SF-52 form.                                        signatures are obtained for exit clearance forms.\n\n        In addition, we identified 6 out of 6 terminated\n        employees who did not sign their DHS 400-2\n        exit clearance form upon departure.\nG&T     The following weaknesses were identified as a      Revise the Interagency Agreement (i.e. MOU) to                       X           High\n06-06   part of the FY 2006 Department of Justice,         include the minimum-security related\n        Office of Justice Programs (OJP) Financial         responsibilities. The agreement should be\n        Statement Audit and impact the reliance G&T        revised to include the description and related\n        has on OJP\xe2\x80\x99s IT control environment:               responsibility for the following components:\n                                                           \xe2\x80\xa2 Description of Services\n        Access Controls:                                   \xe2\x80\xa2 Description of Processing Services\n        \xe2\x80\xa2 Procedures for Generic User Accounts Not         \xe2\x80\xa2 Security Services\n           Documented.\n                                                           \xe2\x80\xa2 Software Development and Maintenance\n        \xe2\x80\xa2 Periodic Recertification of OJP Application          Support\n           and System Accounts Not Consistently\n                                                           \xe2\x80\xa2 List of applications to be processed\n           Performed.\n                                                           \xe2\x80\xa2 Help desk support\n        \xe2\x80\xa2 OJP does maintain log of changes to\n           security profiles.                              \xe2\x80\xa2 Service Level Objectives\n                                                           \xe2\x80\xa2 Communications support (LAN, WAN)\n        Application Change Controls:                       \xe2\x80\xa2 Continuity of Operations/Disaster Recovery\n        \xe2\x80\xa2 Application and System Change Controls\n           Procedures and Processes Need                   The MOU should be agreed upon and\n           Improvement.                                    communicated to the appropriate G&T\n                                                           personnel. In addition, G&T should continue to\n\n\n               Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                   103\n\x0c                                                                                                                                 Appendix B\n\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2006\n\n                                                                                                                                          Risk\nNFR #                      Condition                                     Recommendation                     New Issue   Repeat Issue\n                                                                                                                                         Rating\n        Service Continuity:                                work with OJP to ensure all weaknesses that\n        \xe2\x80\xa2 Tape Backup Polices and Procedures and           impact G&T reliance on the OJP IT control\n            Documentation Storage Requirements Need        environment are mitigated and corrected.\n            Enhancement.\n\n        System Software:\n        \xe2\x80\xa2 General Support System Configurations\n            Need Enhancement.\nG&T     1 out of 6 G&T terminate            es access      Pursue methods for improving the process to                                   High\n06-07   was not removed from the            application    notify the G&T Security Administrator that an\n        within a timely manner (i.e. two business days).   employee or contractor has been transferred or\n                                                           has terminated employment with DHS G&T and\n                                                           no longer requires system access to\n\nG&T     Three users who have been assigned privileges      Adjust/modify or remove the access levels for                     X           High\n06-12   that allow them to enter, modify, and approve      the individuals identified in the condition.\n        journal vouchers. According to their job\n        functions and responsibilities, these users\n        should only have the ability to enter journal\n        vouchers.\n\n        In addition, two users who have been assigned\n        privileges (e.g                  that allow them\n        to modify vendor tables, and allow them to open\n        and close fiscal years.\n\n\n\n\n               Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                   104\n\x0c                                                                                         Appendix B\n\n                           Department of Homeland Security\n                       Information Technology Management Letter\n                                  September 30, 2006\n\n\n\n\n                Department of Homeland Security\n                 FY2006 Information Technology\n     Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n\n                  Transportation Security Administration\n\n\n\n\nInformation Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                         105\n\x0c                                                                                                                                   Appendix B\n\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2006\n\n                                                Department of Homeland Security\n                                                 FY2006 Information Technology\n                                     Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n                                               Transportation Security Administration\n\n\nNFR                                                                                                                                        Risk\n                           Condition                                     Recommendation                       New Issue   Repeat Issue\n  #                                                                                                                                       Rating\nTSA     The            Business Contingency and            \xe2\x80\xa2   Finalize and implement the DRBC and                             X           High\n06-01   Disaster Recovery Plan (collectively referred to       ensure that it reflects changes in hardware\n        as the DRBC) is approximately 70% completed,           and software and addresses disaster\n        with full completion expected by September 30,         recovery procedures for             \xe2\x80\x99s key\n        2006. Because the plan is in draft form it has         financial systems.\n        not yet been tested, and a tabletop exercise has   \xe2\x80\xa2   Identify an alternate processing site and\n        been planned upon completion of the DRBC.              document associated restoration\n                                                               procedures.\n                                                           \xe2\x80\xa2   Periodically test the DRBC and evaluate\n                                                               the results of the testwork so that the\n                                                               DRBC can be adjusted to correct any\n                                                               deficiencies identified in testing.\nTSA     A comprehensive incident capability that           \xe2\x80\xa2   Develop an incident response capability that      X                         High\n06-02   includes designated response team members and          includes:\n        procedures for incident handling to help ensure        - Designation of response team members;\n        that the incident is properly handled has not          - Training for team members; and\n        been documented and implemented.                       - Procedures for incident handling,\n        management has acknowledged this issue and is               including preparation, containment,\n        currently developing a draft incident response              eradication, recovery and follow-up\n        capability.                                                 activities.\n                                                           \xe2\x80\xa2    Approve and implement the incident\n                                                               response capability at the\n\n\n\n                 Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                     106\n\x0c                                                                                                                                  Appendix B\n\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2006\n\nNFR                                                                                                                                      Risk\n                          Condition                                     Recommendation                       New Issue   Repeat Issue\n  #                                                                                                                                     Rating\nTSA     \xe2\x80\xa2               emergency procedures are in      \xe2\x80\xa2   Finalize and implement the emergency               X                       Medium\n06-03        place for the evacuation of           and       procedures that include re-entry\n             its Data Center. However, no emergency          procedures into the Data Center.\n             re-entry procedures exist within this       \xe2\x80\xa2   Develop and implement policies and\n             directive.                                      procedures to train Data Center staff in\n        \xe2\x80\xa2 No policies and procedures are in place to         emergency procedures pertaining, but not\n             guide and document the emergency                limited to fire, water, and alarm\n             training of Data Center personnel.              procedures. Additionally, formalize this\n        \xe2\x80\xa2 Weaknesses exist in the implementation             training by retaining documentation that\n             of least privilege regarding granting           all staff has completed the training.\n             access to the Data Center personnel.        \xe2\x80\xa2   Continue to limit entry to the Data Center,\n             Specifically, two out of the fifteen            especially after normal business hours, to\n             personnel forms selected, granted twenty-       critical personnel only.\n             four hour access to individuals on the\n             janitorial staff.\nTSA     Although backup tapes for                        \xe2\x80\xa2   Develop and document comprehensive                 X                       Medium\n06-04                          the Coast Guard General       backup procedures, which include testing the\n        Support System (GSS) are created on a regular                   GSS backup tapes on a regular\n        basis, testing procedures have not been                        east annually.\n        documented in accordance wit                     \xe2\x80\xa2   Enforce the tape rotation procedures to\n        Instruction.                                         ensure that tape transfer logs are completed\n                                                             and perform a weekly review to ensure that\n        Additionally, although CAS backup tapes are          the logs are completed in their entirety\n        rotated offsite to the                               before the tapes are sent to the\n                       , GSS                       n\n                                                         \xe2\x80\xa2   Include the GSS backup t           the weekly\n        included in the tape rotation process to the\n                                                             offsite tape rotation to the       Update the\n             . Although a tape rotation schedule and\n                                                             tape transfer log to include the GSS backup\n        tape rotation procedures have been\n                                                             tapes that will be included in the rotation.\n        documented, the tape transfer logs are not\n        being completed in their entirety to note the\n        tape numbers and the number of tapes being\n        rotated offsite.\n\n\n                 Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                   107\n\x0c                                                                                                                                       Appendix B\n\n                                                      Department of Homeland Security\n                                                  Information Technology Management Letter\n                                                             September 30, 2006\n\nNFR                                                                                                                                            Risk\n                           Condition                                         Recommendation                       New Issue   Repeat Issue\n  #                                                                                                                                           Rating\nTSA     Configuration weaknesses over                         \xe2\x80\xa2   Develop and implement a configuration              X                         High\n06-05   workstations allowed users to modify sensitive            checklist for the anti-virus server.\n        workstation system and security settings.             \xe2\x80\xa2   Perform periodic audits of the anti-virus and\n        During our test work, using a          network            workstation security settings to ensure\n        user account provided with ordinary privileges,           appropriate configurations are maintained.\n        we were able to successfully:\n        \xe2\x80\xa2 Disable the desktop\xe2\x80\x99s anti-virus;\n        \xe2\x80\xa2 Change the screen saver setting to remove\n            the password-locking feature; and\n        \xe2\x80\xa2 Increase the time period for the screen saver\n            activation significantly.\n\n        Upon notification,            management took\n        immediate action to correct the configuration\n        settings.\nTSA     Weaknesses were noted in regard to                    \xe2\x80\xa2   Continue with efforts to improve the               X                       Medium\n06-06   personnel entrance and exit procedures for                implementation of the personnel entrance\n        civilian, contractor and military personnel.              and exit procedures and a more formalized\n        Specifically, out of fifteen entrance check-in            chain of command for the collection of the\n        sheets inspected, thirteen were incomplete or did         check-in and check-out sheets.\n        not exist. Additionally, out of fifteen exit check-   \xe2\x80\xa2   Track and monitor the completion of\n        out sheets inspected, only four were received             check-in and check-out sheets.\n        from our sample selection, and none of which\n                                                              \xe2\x80\xa2   Ensure that personnel indicate which line\n        were complete.\n                                                                  items on the check-in/check-out sheets are\n                                                                  not applicable.\n                                                              \xe2\x80\xa2   Retain Check-out sheets for up to a year\n                                                                  after an employee\xe2\x80\x99s departure.\n\n\n\n\n                  Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                        108\n\x0c                                                                                                                                      Appendix B\n\n                                                      Department of Homeland Security\n                                                  Information Technology Management Letter\n                                                             September 30, 2006\n\nNFR                                                                                                                                           Risk\n                           Condition                                         Recommendation                      New Issue   Repeat Issue\n  #                                                                                                                                          Rating\nTSA     A            Security Configuration Management        Implement corrective actions to implement a           X                         High\n06-07   Plan does not exist that clearly delineates the                 Security Configuration Management\n        roles and responsibilities between                    Plan that includes the role and responsibilities\n                                       , and the          .   of                      Also, the plan should\n        GCE is the organization under contract by Coast       address both                 and their\n        Guard to manage the                    software       associated operating systems and databases.\n        programs. Consequently, the System Security           Subsequently, the                  System\n        Plans for the                 applications do not     Security Plans should be updated to reflect the\n        include key security control information.             approved information in the             Security\n        Specifically, the plans do not include                Configuration Management Plan.\n        information on the current security configuration\n        management process, including delineation of\n        responsibilities for all involved parties.\nTSA     During technical testing patch management             \xe2\x80\xa2   Implement the corrective actions noted in                       X           High\n06-08   weaknesses were identified on hosts supporting            the tables above.\n        the                 applications. Many of these       \xe2\x80\xa2   Implement polices and procedures to\n        vulnerabilities could allow a remote attacker to          ensure that the software builds created by\n        gain full control of the affected host and could          the software developer are tested to ensure\n        lead to the compromise of the availability,               that all software security configurations,\n        confidentiality and integrity of                          such as software patches and non-\n        data.                                                     compliant settings, are up to date.\n                                                              \xe2\x80\xa2   Continue the process for performing\n                                                                  periodic scans of the            network\n                                                                  environment, including the financial\n                                                                  processing environment, for the\n                                                                  identification of vulnerabilities, in\n                                                                  accordance with NIST SP 800-42.\n                                                              \xe2\x80\xa2   Implement corrective actions to mitigate\n                                                                  the risks associated with any\n                                                                  vulnerabilities identified during periodic\n                                                                  scans.\n\n\n\n                  Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                         109\n\x0c                                                                                                                                    Appendix B\n\n                                                     Department of Homeland Security\n                                                 Information Technology Management Letter\n                                                            September 30, 2006\n\nNFR                                                                                                                                         Risk\n                           Condition                                        Recommendation                     New Issue   Repeat Issue\n  #                                                                                                                                        Rating\nTSA     During technical testing configuration               We recommend that TSA ensure and verify                            X           High\n06-09   management weaknesses were identified on             that Coast Guard\xe2\x80\x99s            complete the\n        hosts supporting the                 applications.   following corrective actions:\n        Specifically, servers were identified with\n        excessive access privileges, and password and        \xe2\x80\xa2   Implement the corrective actions noted in\n        auditing configuration weaknesses.                       the tables above.\n                                                             \xe2\x80\xa2   Implement polices and procedures to\n                                                                 ensure that the software builds created by\n                                                                 the software developer are tested to ensure\n                                                                 that all software security configurations,\n                                                                 such as software patches and non-\n                                                                 compliant settings, are up to date.\n                                                             \xe2\x80\xa2   Continue the process            rming\n                                                                 periodic scans of the            network\n                                                                 environment, including the financial\n                                                                 processing environment, for the\n                                                                 identification of vulnerabilities, in\n                                                                 accordance with NIST SP 800-42.\n                                                             \xe2\x80\xa2   Implement corrective actions to mitigate\n                                                                 the risks associated with any\n                                                                 vulnerabilities identified during periodic\n                                                                 scans.\n\n\n\n\n                  Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                       110\n\x0c                                                                                                                                  Appendix B\n\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2006\n\nNFR                                                                                                                                       Risk\n                           Condition                                      Recommendation                     New Issue   Repeat Issue\n  #                                                                                                                                      Rating\nTSA     The            & Treasury MOU addresses the        Ensure and verify that Coast Guard\xe2\x80\x99s                 X                         Low\n06-11   development, management, operation, and            complete planned corrective actions to finalize\n        security of a connection between systems           and obtai        rovals for the MOU and ISA\n        owned by both parties. The previous                between           and Treasury-FMS\n        agreement expired in April of 2006 and a           Financial Management Service.\n        current MOU between                and Treasury\n        has not been completed, although finalization\n        is in the process. With the renewal of the\n        MOU,               s also creating an ISA which\n        will further define the technical details of the\n        systems interconnection.\nTSA                contracts the maintenance of their      \xe2\x80\xa2   Continue to communicate with Coast               X                         Low\n06-12   information systems software and hardware              Guard Headquarters in order to convey the\n        for the Superdome Supercomputer, which                 importance of a timely renewal of the\n        houses the four production databases including         maintenance contract.\n        the       production database, to Hewlett          \xe2\x80\xa2   Maintain a continuous service contract for\n        Packard (HP) through two separate service              the hardware and software with the current\n        agreements. One of the service contracts is            vendor by anticipating delays in contract\n        valid until 2007 for a segment of their                renewal and submitting requests for\n        computer software and hardware. However,               procurement in a timely manner.\n        the second portion of            \xe2\x80\x99s Superdome\n        equipment is covered under a maintenance\n        contract that expired on May 31, 2006.\nTSA     \xe2\x80\xa2 Manager Review of System Administration          \xe2\x80\xa2   Revise the Manager Review of System                            X           High\n06-13        Monitor Procedures have been developed            Administration Monitor Procedures to\n             that guide managers in performing periodic        note how often managers should perform\n             system administration monitoring reviews.         system administration monitoring reviews.\n             However, the procedures do not note the           Additionally, the procedures should note\n             periods of review that are being monitored,       the titles/positions of the individuals who\n             who is responsible for performing the             are authorized and responsible for\n             reviews and evidence that the manager             performing the reviews and what type of\n             review was performed could only be                documentation should be retained as a\n\n\n                  Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                      111\n\x0c                                                                                                                                    Appendix B\n\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2006\n\nNFR                                                                                                                                         Risk\n                           Condition                                      Recommendation                       New Issue   Repeat Issue\n #                                                                                                                                         Rating\n             obtained for March 2006. Additionally,            result of the review.\n             although the manager reviews were             \xe2\x80\xa2   Continue enforcing             Instruction\n             implemented in March 2006, for the first          5230.3 \xe2\x80\x93 Policy for System Level Access\n             half of the fiscal year, October through          to           Computer Assets.\n             March,          system administration             Additionally, review the access request\n             monitoring was not performed by a manager         forms before the request is implemented to\n             or group outside of the three systems             ensure that the request contains a\n             administrators during that time period.           supervisor approval and notes the level of\n        \xe2\x80\xa2    The access request form for one out of four       access/privileges that the individual should\n             individuals granted access to         since       be granted.\n             October 1, 2005, did not contain the          \xe2\x80\xa2   Continue enforcing             Instruction\n             supervisor\xe2\x80\x99s approval.                            5230.3 \xe2\x80\x93 Policy for System Level Access\n        \xe2\x80\xa2    The account of a contractor that left             to           Computer Assets to ensure\n                       in October 2005 remained active         that the accounts of terminated\n             until May 2006.                                   civilians/contractors/military personnel are\n                                                               revoked in a timely manner.\nTSA     During our audit, the following      access        \xe2\x80\xa2   Continue with efforts to correct the               X                         High\n06-14   control weaknesses were noted:                         implementation of the lockout policies and\n                                                               procedures to ensure that users are locked\n            \xe2\x80\xa2 Password configurations for application          out of their accounts after three invalid\n              and database were configured to permit           attempts.\n              passwords to be a minimum of six             \xe2\x80\xa2   Establish detailed procedures for audit trail\n              characters in length which is not in             generation, review and management. The\n              compliance with the            Password          procedures should discuss the conditions\n              Policy Standard Operating Procedure              under which the audit trails should be\n              (SOP).                                           generated, reviewed, the frequency of the\n            \xe2\x80\xa2 Users are not locked out of their                reviews, and the basis for determining\n              application accounts after three     d           when suspicious activity should be\n              logon attempts.                                  investigated.\n            \xe2\x80\xa2 Audit logging has not been enabled with in   \xe2\x80\xa2   Develop and implement access control\n              the      application or database.                procedures for the         ystem and\n            \xe2\x80\xa2 Individuals who are no longer employed           database accounts. These procedures\n\n                  Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                      112\n\x0c                                                                                                                                 Appendix B\n\n                                                   Department of Homeland Security\n                                               Information Technology Management Letter\n                                                          September 30, 2006\n\nNFR                                                                                                                                      Risk\n                          Condition                                    Recommendation                       New Issue   Repeat Issue\n #                                                                                                                                      Rating\n             with           were found to have active       should include, at a minimum, steps for\n             accounts with in       Although their          removing the accounts of terminated\n             application accounts have been disabled,       individuals. Additionally, the procedures\n             one civilian and one contractor retained       should include information regarding the\n             open and active data          unts after       notification of both internal and remote\n             their departure from                           user terminations.\n           \xe2\x80\xa2       account reviews have not been        \xe2\x80\xa2   Develop and implement access control\n             performed on a periodic basis for              procedures for the         system and\n             personnel.                                     database accounts. These procedures\n                                                            should include, at a minimum, steps for\n                                                            reviewing the system and database user\n                                                            listings to ensure that all terminated\n                                                            individuals no longer have active\n                                                            accounts, that inactive accounts are locked\n                                                            and that privileges associated with each\n                                                            individual are still authorized and\n                                                            necessary. Additionally the procedures\n                                                            should note the parties that should be\n                                                            involved in the review process and\n                                                            supporting documentation that should be\n                                                            maintained as a result of the review.\n\nTSA     During our audit, the following     access      \xe2\x80\xa2   Configure the        application and               X                         High\n06-15   control weaknesses were noted:                      database to maintain the password history\n                                                            for each account.\n           \xe2\x80\xa2 Password configurations for application    \xe2\x80\xa2   Configure th           pplication and\n             and database have not been configured to       database to lock users out of their accounts\n             maintain the password history for each         after three failed login attempts.\n             account which is required by the           \xe2\x80\xa2   Establish detailed procedures for audit trail\n             Password Policy Standard Operating             generation, review and management. The\n             Procedure (SOP), as well as DHS                procedures should discuss the conditions\n             Information Technology Security Program        under which the audit trails should be\n\n                 Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                   113\n\x0c                                                                                                                                     Appendix B\n\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2006\n\nNFR                                                                                                                                          Risk\n                           Condition                                       Recommendation                       New Issue   Repeat Issue\n #                                                                                                                                          Rating\n             Publication, 4300A.                                generated, reviewed, the frequency of the\n           \xe2\x80\xa2 Users are not locked out of their                  reviews, and the basis for determining\n             accounts after three invalid logon attempts.       when suspicious activity should be\n           \xe2\x80\xa2 Policies and procedures for application and        investigated. In addition, sufficient\n             database audit log management have not             resources should be allocated to ensure the\n             been documented. Additionally, although            proper implementation and monitoring of\n             audit logs are generated that document who         these procedures.\n             is logging in and out of the                   \xe2\x80\xa2   Configure the system to track and lock the\n             database administrator account, the logs           accounts of individuals who have not\n             are being generated and reviewed by the            logged into the system in 90 days.\n             database administrators and not by an\n             external party.\n           \xe2\x80\xa2       has not been configured to track and\n             deactivate accounts that have not been used\n             in 90 days.\nTSA     In FY 2006, we performed access control test        We recommend that TSA ensure and verify                X                         High\n06-16   work around the Sunflower application and           that Coast Guard\xe2\x80\x99s            complete the\n        database. During our review, the following          following corrective actions:\n        Sunflower access control weaknesses were\n        noted:                                              \xe2\x80\xa2   Continue with efforts to correct the\n                                                                implementation of the lockout policies and\n           \xe2\x80\xa2 Password configurations for application            procedures to ensure that users are locked\n             and database were configured to permit             out of their accounts after three invalid\n             passwords to be a minimum of six                   attempts.\n             characters in length which is not in           \xe2\x80\xa2   Establish detailed procedures for audit trail\n             compliance with the            Password            generation, review and management. The\n             Policy Standard Operating Procedure                procedures should discuss the conditions\n             (SOP), or the DHS policy, during the time          under which the audit trails should be\n             period of October 2005 through June 2006.          generated, reviewed, the frequency of the\n             After June 2006, the password length was           reviews, and the basis for determining\n             changed to eight characters.                       when suspicious activity should be\n           \xe2\x80\xa2 Users are not locked out of their Sunflower        investigated. In addition, sufficient\n\n\n                  Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                       114\n\x0c                                                                                                                          Appendix B\n\n                                               Department of Homeland Security\n                                           Information Technology Management Letter\n                                                      September 30, 2006\n\nNFR                                                                                                                               Risk\n                     Condition                                    Recommendation                     New Issue   Repeat Issue\n #                                                                                                                               Rating\n        application accounts after three invalid       resources should be allocated to ensure the\n        logon attempts.                                proper implementation and monitoring of\n      \xe2\x80\xa2 Audit logging has not been enabled with in     these procedures.\n        the Sunflower application or database.\n        Specifically, unusual or sensitive access\n        (database and system administrator\n        activity) is not monitored and suspicious\n        activity is not investigated. Additionally,\n        audit trails of appropriate user actions,\n        including changes to security profiles are\n        not generated and maintained.\n\n\n\n\n            Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                             115\n\x0c                                                                                                                                   Appendix B\n\n                                                   Department of Homeland Security\n                                               Information Technology Management Letter\n                                                          September 30, 2006\n\nNFR                                                                                                                                        Risk\n                          Condition                                       Recommendation                      New Issue   Repeat Issue\n  #                                                                                                                                       Rating\nTSA     During our audit, the following     access         \xe2\x80\xa2   Develop and implement access control\n06-17   control weaknesses were noted:                         policies and procedures for the periodic\n                                                               review of the       application accounts          X                         High\n        \xe2\x80\xa2        accounts are not immediately disabled         for TSA users. These procedures should\n          upon an employee\xe2\x80\x99s termination.                      include, at a minimum, steps for reviewing\n          Specifically, one out of the two separated           the application user listings to ensure that\n          employees who had access to the                      all terminated individuals no longer have\n          system was not disabled until six months             active accounts, that inactive accounts are\n          after separating. Additionally, the employee\xe2\x80\x99s       locked and that privileges associated with\n          TSA LAN account was also active during               each individual are still authorized and\n          this time.                                           necessary. Additionally, the procedures\n        \xe2\x80\xa2 No policies and procedures exist for the             should note the parties that should be\n          periodic review of TSA personnel with                involved in the review process (i.e. \xe2\x80\x93\n          access to                                            supervisors, database administrators and\n                                                               system administrators)\n                                                           \xe2\x80\xa2   Retain supporting documentation\n                                                               indicating the results of each review.\n                                                           \xe2\x80\xa2   Notify and coordinate with CG-\n                                                               to implement the corrective actions that\n                                                               must result from the review, such as\n                                                               removing separated users from the system\n                                                               or modifying account privileges.\n\n\n\n\n                 Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                     116\n\x0c                                                                                                                               Appendix B\n\n                                                Department of Homeland Security\n                                            Information Technology Management Letter\n                                                       September 30, 2006\n\nNFR                                                                                                                                    Risk\n                          Condition                                Recommendation                    New Issue        Repeat Issue\n  #                                                                                                                                   Rating\nTSA     During our audit the following   access       \xe2\x80\xa2       Immediately disable          application,\n06-18   control weaknesses were noted:                                  and LAN access for all separated\n                                                              employee accounts.                             X                         High\n        \xe2\x80\xa2        accounts are not immediately disabled      \xe2\x80\xa2 Formalize and implement access control\n            upon an employee\xe2\x80\x99s termination.                   policies and procedures for the periodic\n            Specifically:                                     review of the        application,\n            - Three separated TSA employees had               and LAN accounts for TSA us                 e\n                 active accounts on        and the remote     procedures should include, at a minimum,\n                 connection,           . These three user     steps for reviewing the application user\n                 accounts for                      were not   listings to ensure that all terminated\n                 end dated until October 16, 2006.            individuals no longer have active\n                 Additionally, one out of the three have      accounts, that inactive accounts are locked\n                 an open TSA Local Access Network             and that privileges associated with each\n                 (LAN) Account.                               individual are still authorized and\n            - As of September 2006, eight separated           necessary. Additionally, the procedures\n                 TSA employee\xe2\x80\x99s           accounts were       should note the parties that should be\n                 still active on the application after they   involved in the review process (i.e. \xe2\x80\x93\n                 had separated from TSA over seven            supervisors, database administrators and\n                 months previously. Additionally, seven       system administrators)\n                 of those eight individuals had open        \xe2\x80\xa2 Retain supporting documentation\n                            accounts during that time         indicating the results of each review.\n                 period as well and at least four           \xe2\x80\xa2 Develop and implement formalized access\n                 individuals had active TSA LAN               control policies and procedures for\n                 accounts as well.                            granting access to the         application and\n        \xe2\x80\xa2   No formalized policies and procedures for         database accounts. These procedures\n            the periodic reviews for the        accounts      should include, at a minimum, steps for\n            exist.                                            granting and approving access.\n        \xe2\x80\xa2   No access request forms could be obtained         Additionally, the procedures should\n            for the selection of four TSA users who           require the supervisors to document the\n            were granted access to the         application    level of access each new user should be\n            this fiscal year.                                 granted within the system and database\n                                                              before the request is submitted to the\n                                                              system administrator and database\n                                                              administrator for implementation. This\n                   Information Technology Management Letter           for the FY 2006 DHS Financial Statement Audit\n                                                              documentation should be retained for each\n                                                              user.\n                                                                117\n\x0c                                                                                                                                   Appendix B\n\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2006\n\nNFR                                                                                                                                        Risk\n                          Condition                                       Recommendation                      New Issue   Repeat Issue\n  #                                                                                                                                       Rating\nTSA     In FY 2006, we performed access control test       \xe2\x80\xa2   Develop and implement access control\n06-19   work around the Sunflower application, database        policies and procedures for the periodic\n        and the TSA Local Area Network (LAN).                  review of the Sunflower application               X                         High\n        During our review, the following Sunflower             accounts and LAN accounts for TSA\n        access control weaknesses were noted:                  users. These procedures should include, at\n                                                               a minimum, steps for reviewing the\n        \xe2\x80\xa2    Sunflower accounts are not immediately            application user listings to ensure that all\n             disabled upon an employee\xe2\x80\x99s termination.          terminated individuals no longer have\n             Specifically, six terminated TSA personnel        active accounts, that inactive accounts are\n             have active accounts on the Sunflower             locked and that privileges associated with\n             application. Additionally, three of the six       each individual are still authorized and\n             individuals still retain active LAN               necessary. Additionally, the procedures\n             accounts. Furthermore, one Sunflower              should note the parties that should be\n             account, for a separated individual, was          involved in the review process (i.e. \xe2\x80\x93\n             active for over six months on the                 supervisors, database administrators and\n             Sunflower system and the TSA LAN                  system administrators)\n             before being disabled.                        \xe2\x80\xa2   Retain supporting documentation\n        \xe2\x80\xa2    Policies and procedures requiring the             indicating the results of each review.\n             periodic reviews of Sunflower accounts        \xe2\x80\xa2   Notify and coordinate with CG-\n             have not been documented.                         to implement the corrective actions that\n                                                               must result from the Sunflower review,\n                                                               such as removing separated users from the\n                                                               system or modifying account privileges.\n\n\n\n\n                 Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                     118\n\x0c                                                                                                                                  Appendix B\n\n                                                     Department of Homeland Security\n                                                 Information Technology Management Letter\n                                                            September 30, 2006\n\nNFR                                                                                                                                       Risk\n                           Condition                                      Recommendation                     New Issue   Repeat Issue\n  #                                                                                                                                      Rating\nTSA     The TSA Form 1402, IT off-boarding form for        \xe2\x80\xa2    Send out a TSA broadcast message\n06-20   Non-Screeners and Contractors, is not                   reminding all TSA Non-Screeners and\n        consistently completed for terminated                   Contractors to completely fill out the TSA      X                       Medium\n        personnel. Specifically, we noted that the              Form 1402 as they are initiating their own\n        form was unavailable for thirty-eight (38) of           termination process.\n        sixty (60) terminated employees selected for       \xe2\x80\xa2 Assess implementing a process whereby\n        testing. Additionally, eight (8) out of the             the terminated individual\xe2\x80\x99s supervisor\n        twenty-two (22) forms received were                     would initiate the completion of TSA\n        incomplete.                                             Form 1402, instead of the terminated\n                                                                individuals themselves.\nTSA     During our audit, the following weaknesses         Enforce the completion of security awareness\n06-21   were identified:                                   training and the computer access agreement for\n                                                           all TSA employees and contractors each fiscal        X                       Medium\n        \xe2\x80\xa2   Initial and/or annual refresher training for   year.\n            security awareness was not completed for\n            9,821 out of 52,106, approximately 19%\n            of the TSA personnel and contractors with\n            access to TSA information systems.\n        \xe2\x80\xa2   Computer Access Agreements were not\n            complete for 9,627 out of 55,335,\n            approximately 17%, of TSA federal\n            employees and contractors, with access to\n            TSA information systems. Additionally,\n            30,835 out of 55,335 personnel,\n            approximately 56% had agreements on\n            file that were over a year old.\n\n\n\n\n                  Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                     119\n\x0c                                                                                                                                    Appendix B\n\n                                                     Department of Homeland Security\n                                                 Information Technology Management Letter\n                                                            September 30, 2006\n\nNFR                                                                                                                                         Risk\n                           Condition                                      Recommendation                       New Issue   Repeat Issue\n  #                                                                                                                                        Rating\nTSA     Although the Interagency agreement between         \xe2\x80\xa2   Formally document and better define the\n06-22   United States Coast Guard                              different r           esponsibilities that\n        (CG            ) and TSA states that CG-               TSA, CG-              and GCE have in the          X                         High\n                 is responsible for configuration              change control process for the\n        management on both th        hnical and                product suite.\n        operational sides of the      product suite,       \xe2\x80\xa2   Develop and implement policies and\n        TSA however, has not formalized a tracking             procedures to document TSA\xe2\x80\x99s role and\n        process of their own for requests that they            responsibilities in the change control\n        submit nor do they retain records of the               process. Be sure to specifically address\n        change control process.                                initial approvals, testing and final approval\n                                                               of all changes to the system.\n        TSA has no policies and procedures\n                                                           \xe2\x80\xa2   Develop and implement a formalize\n        surrounding the change control process for the\n                                                               process for the retention of documentation\n              product suite. Specifically, TSA should\n                                                               throughout the change control process.\n        be responsible for approving the functional\n        resolution documents provided for their\n        specific changes,          idence that testing\n        was done by CG-             on their behalf, and\n        approving the final change before it is moved\n        into production.\n\n        Additionally, TSA has not retained any\n        documentation of initial approvals, testing and\n        final approvals for TSA specific changes made\n                           Sunflower in the 2006 FY.\n        Specifically, no documentation for the initial\n        approvals, testing or final approvals could be\n        obtained for a selection 14       changes, 16\n              Changes and 4 Sunflower changes\n        emergency changes.\n\n\n\n\n                  Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                      120\n\x0c                                                                                                                                    Appendix B\n\n                                                     Department of Homeland Security\n                                                 Information Technology Management Letter\n                                                            September 30, 2006\n\nNFR                                                                                                                                         Risk\n                           Condition                                       Recommendation                      New Issue   Repeat Issue\n  #                                                                                                                                        Rating\nTSA     During our audit, the following weaknesses          \xe2\x80\xa2   Implement policies and procedures to\n06-23   were identified:                                        ensure compliance with the new DHS\n                                                                policies for the background investigations        X                         High\n        \xe2\x80\xa2             does not perform background               of contracting personnel.\n            investigations or verify that outside           \xe2\x80\xa2   Develop risk levels for contractor\n            background investigations have been                 positions with access to DHS information\n            performed for contractors working at                systems in accordance with DHS policy.\n                     , especially those with sensitive IT\n            positions. Specifically,           employs\n            150 contractors; however, we were unable\n            to obtain the status of a background\n            investigation on any of them.\n        \xe2\x80\xa2   No risk levels for contractor personnel with\n            access to DHS information systems at\n                      exist. Contracting personnel with\n            IT job functions which require advanced\n            access to the DHS system are not\n            categorized at a higher risk level then an\n            individual who uses the system with basic\n            privileges.\n\nTSA     Excessive access has been granted within            \xe2\x80\xa2   Develop and implement access control\n06-24             . Specifically, of the 27 individuals         procedures for the periodic access review\n        that have been granted Authorized Certifying            of the             system. These                  X                         High\n        Officer (ACO) privileges to approve invoices of         procedures should include, at a minimum,\n        any dollar value, four were not justified in            steps for reviewing the system user listings\n        having such privileged access.                          to ensure that all terminated individuals no\n                                                                longer have active accounts, that inactive\n                                                                accounts are locked and that privileges\n                                                                associated with each individual are still\n                                                                authorized and necessary. The procedures\n                                                                also should note the parties that should be\n\n\n                 Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                                      121\n\x0c                                                                                                              Appendix B\n\n                                 Department of Homeland Security\n                             Information Technology Management Letter\n                                        September 30, 2006\n\nNFR                                                                                                                   Risk\n             Condition                               Recommendation                      New Issue   Repeat Issue\n #                                                                                                                   Rating\n                                          involved in the review process (ie \xe2\x80\x93\n                                          supervisors, database administrators and\n                                          system administrators) and supporting\n                                          documentation that should be maintained\n                                          as a result of the review. After the results\n                                          of the review are obtained TSA is\n                                          re           for communicating the results\n                                          to           for the appropriate actions to\n                                          be completed.              lly, TSA should\n                                          follow-up with              to ensure that\n                                          corrective actions are taken if necessary.\n                                      \xe2\x80\xa2   Ensure that             removes the access\n                                          privileges of the four individuals that do\n                                          not have appropriate access to the system.\n\n\n\n\n      Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                 122\n\x0c                                                                            Appendix C\n\n                           Department of Homeland Security\n                       Information Technology Management Letter\n                                  September 30, 2006\n\n\n\n\n                                  Appendix C\n\nStatus of Prior Year Notices of Findings and Recommendations\n                     And Comparison To\n   Current Year Notices of Findings and Recommendations\n\n\n\n\nInformation Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                         123\n\x0c                                                                                                 Appendix C\n\n                                Department of Homeland Security\n                            Information Technology Management Letter\n                                       September 30, 2006\n\n\n\n                                                                                                     Disposition\nComponent NFR No. Description                                                                  Closed       Repeat\n\nUSCIS      05-02   The site Certification and Accreditation (C&A) package for the                X\n                   California Service Center, General Support System (GSS) - Local Area\n                   Network (LAN) is outdated and has expired.\nUSCIS      05-03   The C&A package for the Texas Service Center (TSC) GSS-LAN is                 X\n                   outdated and has expired.\nUSCIS      05-04   Access control weaknesses such as account management, password                           06-04\n                   length, and a lack of review over audit records were identified for the\n                                     .\nUSCIS      05-05   A Novell NetWare server at USCIS\xe2\x80\x99 Texas Service Center (TSC) was              X\n                   identified as not having the corr           supplied patches installed.\nUSCIS      05-06   A vulnerability assessment over            at USCIS TSC noted that            X\n                   multiple local administrator accounts had blank passwords including\n                   several accounts with supervisor level access.\n\n\nICE        05-07   ICE does not have procedures in place to periodically review                  X\n                                                        user access lists and could not\n                   provide a list of all authorized    users upon request.\n\n\nCBP        05-01   Numerous         user IDs were identified as having segregation of            X\n                   duties issues\nCBP        05-02   The Top Secret mainframe account administration on the                        X\n                                                had several weaknesses over unauthorized\n                   access to accounts with high-level authority, and inactive accounts.\nCBP        05-03   After the re-organization of the Office of Information Technology             X\n                   (OIT), security administration functions at the      are not\n                   independent of the operations function.\nCBP        05-04   The National Benefits Center (NBC) has not defined or documented                         06-01\n                   the appropriate user permissions for the various roles granted to\n                                Local Area Network (LAN).\nCBP        05-05   CBP management has not developed formal procedures for granting               X\n                   access to sensitive SAP Technical Team member roles.\nCBP        05-06   The                                  continuity of operations plan            X\n                   (COOP) is not updated to reflect the results of FY 2004 testing, and the\n                   upgrade of their financial system from\n\nCBP        05-08   The documentation of completed initial security awareness training is                    06-29\n                   not properly maintained. We selected security awareness training\n                   documentation for 45 users. Per inspection of documentation, and\n                   noted that 13 of 45 did not have security awareness training certificates\n                   documented.\nCBP        05-09   Improvements still needed in CBP\xe2\x80\x99s technical security controls.                          06-17\n                   Related to issues reported in FY02, FY03 and FY04 findings\n\n\n   Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                   124\n\x0c                                                                                                   Appendix C\n\n                                Department of Homeland Security\n                            Information Technology Management Letter\n                                       September 30, 2006\n\n                                                                                                       Disposition\nComponent NFR No. Description                                                                    Closed       Repeat\n\n                   regarding host and network based security system access deficiencies,\n                   we noted the following:\n\n                   \xe2\x80\xa2    CBP has confirmed that they will not be implementing the\n                                                              to enforce strong passwords or\n                        the Windows NT password protection feature enhancement\n                        upgrade referred to as NT LANMAN v2 (LM v2).\n                   \xe2\x80\xa2 CBP has not made the configuration changes to the Windows NT\n                              Domain Controller that was compromised in our FY03\n                        intrusion tests.\n                   \xe2\x80\xa2 Discovered key systems\xe2\x80\x99 domains in targeting for potential\n                        unauthorized access attempts where we were able to identify major\n                        CBP network domains.\n                   \xe2\x80\xa2 Exploited a system vulnerability that had not been corrected.\n                   \xe2\x80\xa2 We confirmed that the number of Domain Administrators on\n                        selected Domains has increased since 2005.\n                   \xe2\x80\xa2 ESM identified weak passwords, expired passwords,\n                        misconfigurations, and missing patches.\n                   \xe2\x80\xa2 Identified vulnerabilities on an Oracle database which had critical\n                        patches missing, week passwords and auditing is not enabled.\nCBP        05-10         security audit log reviews not evidenced for the majority of FY           X\n                   2005.\nCBP        05-11   \xe2\x80\xa2 CBP management has not established ISAs for legacy connections                           06-02\n                        with\n                   \xe2\x80\xa2 Additionally, the majority of financial institutions connecting with\n                              do not have ISAs.\nCBP        05-12   CBP alternate processing site agreement not finalized. Priority of              X\n                   service provision not in place.\nCBP        05-13   Field offices are not consistently reporting the completion of         re-                 06-08\n                   certifications at their ports to the OFO headquarters. Email\n                   confirmation of completion of          re-certifications were not available\n                   for Boston, Baltimore, New Orleans, Miami, and Calgary (Canada)\n                   field offices, and the Los Angeles field office only provided an email\n                   stating that re-certification process exists, but did not confirm that\n                   re-certifications had been completed. The six field offices listed above\n                   represent 10 of 44 ports selected for testing.\nCBP        05-14   \xe2\x80\xa2 CBP management has not performed a formal review of                                      06-05\n                        individuals with physical access to the data center.\n                   \xe2\x80\xa2 Additionally, CBP management has not established formal\n                        procedures for revoking physical access to          buildings.\nCBP        05-15   Eighteen (18)         developers were found with access to the                  X\n                   production environment.\nCBP        05-16   Improvements are still needed in CBP\xe2\x80\x99s Incident Handling and                               06-10\n                   Response Capability which may potentially limit CBP\xe2\x80\x99s ability to\n\n\n   Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                   125\n\x0c                                                                                                Appendix C\n\n                                Department of Homeland Security\n                            Information Technology Management Letter\n                                       September 30, 2006\n\n                                                                                                    Disposition\nComponent NFR No. Description                                                                 Closed       Repeat\n\n                   respond to incidents in an appropriate manner. Specifically, we noted\n                   the following issues:\n                   \xe2\x80\xa2          Health Endpoint will not be installed on all workstations for\n                        the majority of the fiscal year.\n                   \xe2\x80\xa2 3 of 8 selected system flaw notifications did not have an associated\n                        Service Center ticket.\nCBP        05-17   CBP has not configured their version of        to include a company          X\n                   code setting of "productive."\nCBP        05-18   We could not obtain the requested evidence of         recertifications                  06-09\n                   from CBP for any of the 44 selected field level ports to determine\n                   whether        accounts with sensitive and high-risk combination of\n                   functions are reviewed for appropriateness.\nCBP        05-19                                                                                X\n                   Separated employees with active        accounts.\nCBP        05-20   CBP does not document changes to the            system including test        X\n                   plans, test cases, impact analysis, and test results.\nCBP        05-21   CBP management has not activated logging for critical tables within          X\n\nCBP        05-22   CBP management has not performed a formal certification and                             06-03\n                   accreditation on the NDC LAN as a whole. Specifically, a formal\n                   security control assessment and a formal risk assessment have not been\n                   performed for components of the NDC LAN.\n\nCBP        05-23   CBP has not performed a separate certification and accreditation for the                06-06\n                   applications remaining in the seven business process areas defined in\n                   the Administrative Applications C&A. These seven business process\n                   areas include the following:\n                   \xe2\x80\xa2 Disclosure Administrative Support Systems\n                   \xe2\x80\xa2 Financial Administrative Support Systems\n                   \xe2\x80\xa2 Field Operations Support Systems\n                   \xe2\x80\xa2 Investigation Support Systems\n                   \xe2\x80\xa2 OIT Administrative Support Systems\n                   \xe2\x80\xa2 Personnel Administrative Support Systems\n                   \xe2\x80\xa2 Training Support Systems\nCBP        05-24   CBP does not maintain a centralized listing of separated contract                       06-04\n                   personnel. The only method CBP employs to track terminated\n                   contractors is the use of a report of users that had their mainframe\n                   account deleted. We cannot acknowledge this list as representative of\n                   all terminated contractors. This is because terminated contract\n                   personnel might not have mainframe access or their access was not\n                   removed after their termination.\nCBP        05-25                                                                                X\n                        idle session lock inconsistent with CBP policy.\n\n\n\n   Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                  126\n\x0c                                                                                                     Appendix C\n\n                                   Department of Homeland Security\n                               Information Technology Management Letter\n                                          September 30, 2006\n\n                                                                                                         Disposition\nComponent NFR No. Description                                                                      Closed       Repeat\n\nCBP          05-26          does not have an automated mechanism to detect and deactivate                       06-07\n                      users that have not logged on for 90 days per DHS policy.\nCBP          05-27    We noted that 24 out of 45 selected individuals did not have formally                     06-12\n                      documented VPN access authorization forms. Additionally, CBP has\n                      not implemented formal procedures for VPN recertification for the\n                      majority of FY 2006.\nCBP          05-28    Access to the                                                                  X\n                      related dataset and CSD definition file is excessive.\nCBP          05-29    CBP management did not provide information as to whether                       X\n                      vendor and bank tables are appropriately segregated.\nCBP          05-30    The number of users with access to               Audit, Recovery, and          X\n                      Backup datasets is excessive.\nCBP          05-31    Weaknesses in the C&A process at field sites including several missing         X\n                      site assessments.\n\n\nCG           05-001   The                                   ) has not completed a Business\n                                                                                                     X\n                      Recovery Plan (BRP).\nCG           05-002         has not completed a testing baseline and users were able to change\n                                                                                                     X\n                      their privileges to gain access to production.\nCG           05-003   Access authorization requests for           ids did not indicate the roles                06-009\n                      or menus necessary for the user to perform job functions; rather\n                      access authorizations identified a current user with similar privileges\n                      that could be copied to create the privileges for the new           id.\n                      Additionally, requests for new accounts are accomplished via email,\n                      and the system administrator did not routinely retain these emails\n                      prior to January 2006.\n\nCG           05-004   A periodic review of Direct Access access lists was not conducted to                      06-008\n                      ensure that users had the correct access privileges. Additionally, we\n                      determined that an applicant could be entered and hired by the same\n                      individual. The process of transitioning an applicant to an employee\n                      is in an audit trail; however this audit trail is not reviewed on a\n                      regular basis.\n\nCG           05-005   A security test and evaluation has not been conducted on the                              06-024\n                      General Support System. In addition, the final Certification and\n                      Accreditation package has not been created and an Authorization to\n                      Operate has not been requested or approved for the       General\n                      Support System.\n\nCG           05-006   \xe2\x80\xa2   Coast Guard has not completed the process of filing the records                       06-028\n                          that were recovered and recreating of the records that were not\n                          found during the migration of records from the Department of\n                          Transportation to DHS.\n\n     Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                      127\n\x0c                                                                                                     Appendix C\n\n                                   Department of Homeland Security\n                               Information Technology Management Letter\n                                          September 30, 2006\n\n                                                                                                         Disposition\nComponent NFR No. Description                                                                      Closed       Repeat\n\n                      \xe2\x80\xa2   Civilian background investigations and reinvestigations are not\n                          being consistently performed. Specifically, three (3) out of seven\n                          (7) newly hired civilian employees at              did not have any\n                          record of a background investigation on file. Additionally, for\n                          the re-investigation of            employees, four (4) out of five\n                          (5) GS employees selected did not have a current investigation\n                          on file.\n                      \xe2\x80\xa2   Position sensitivity level distinctions for civilian personnel with\n                          access to DHS information systems at                are not accurately\n                          depicted. Specifically, of the selection of position descriptions\n                          received, nine (9) out of ten (10) had non-critical position\n                          sensitivities although their job functions were that of IT personnel\n                          with advanced access to the DHS system.\n\nCG           05-006   \xe2\x80\xa2             does not perform background investigations or verify that                   06-034\n                          background investigations have been performed for contractors\n                          working at            especially those with sensitive IT positions.\n                          Specifically            employs 150 contractors; however, we were\n                          unable to obtain the status of a background investigation on any of\n                          them.\n                      \xe2\x80\xa2   No risk levels for contractor personnel with access to DHS\n                          information systems at             exist. Contracting personnel with\n                          IT job functions which require advanced access to the DHS system\n                          are not categorized at a higher risk level then an individual who\n                          uses the system with basic privileges.\n\nCG           05-008   The passwords for             are not required by the system to be 8                      06-007\n                      characters in length or contain a combination of alphabetic, numeric\n                      and/or special characters. Due to lack of vendor support, there is\n                      uncertainty to the feasibility of implementing stronger password\n                      controls.\n\nCG           05-009   The            Business Contingency and Disaster Recovery Plan is still                   06-001\n                      in draft form and has not yet been tested.\nCG           05-010                    change control process supporting                 have\n                      weaknesses including: procedures in support of the finalized CM\n                      policy are not developed, documentation supporting risk assessments            X\n                      is not maintained, formal change requests are not used, and test plans\n                      and test results are not documented.\nCG           05-011              does not have documented procedures for controlling the\n                      processes associated        the granting, monitoring, and termination of       X\n                      user accounts within        have not been documented.\nCG           05-012   \xe2\x80\xa2 Manager Review of System Administration Monitor Procedures                              06-019\n                           have been developed that guide managers in performing periodic\n                           system administration monitoring reviews. However, the\n\n\n     Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                      128\n\x0c                                                                                                      Appendix C\n\n                                   Department of Homeland Security\n                               Information Technology Management Letter\n                                          September 30, 2006\n\n                                                                                                          Disposition\nComponent NFR No. Description                                                                       Closed       Repeat\n\n                          procedures do not note the periods of review that are being\n                          monitored, who is responsible for performing the reviews and\n                          evidence that the manager review was performed could only be\n                          obtained for March 2006. Additionally, although the manager\n                          reviews were implemented in March 2006, for the first half of the\n                          fiscal year, October through March,         system administration\n                          monitoring was not performed by a manager or group outside of\n                          the three systems administrators during that time period.\n                      \xe2\x80\xa2   The access request form for one out of four individuals granted\n                          access to        since October 1, 2005, did not contain the\n                          supervisor\xe2\x80\x99s approval.\n                      \xe2\x80\xa2   The account of a contractor that left          in October 2005\n                          remained active until May 2006.\n\nCG           05-013             \xe2\x80\x99s Certification and Accreditations (C&A) for                and\n                              were not complete. Specifically, security testin\n                                                                                                      X\n                      evaluations (ST&E) were incomplete and security plans had not been\n                      updated.\nCG           05-014   Results of reviews over         user access were not available and\n                                                                                                      X\n                      documentation of periodic reviews was not on file at\nCG           05-015              has not implemented formal procedures for the periodic\n                      management review and monitoring activities of            database              X\n                      administrators and system administrators, or the                accounts.\nCG           05-016   During technical testing patch management weaknesses were identified                       06-026\n                      on hosts supporting the                          applications. Many of\n                      these vulnerabilities could allow a remote attacker to gain full control\n                      of the affected host and could lead to the compromise of the\n                      availability, confidentiality and integrity of                        data.\nCG           05-016   During technical testing configuration management weaknesses were                          06-027\n                      identified on hosts supporting the                          applications.\n                      Specifically, servers were identified with excessive access privileges,\n                      and password and auditing configuration weaknesses.\nCG           05-017   The Enterprise Security Management (ESM) tool identified\n                                                                                                      X\n                      configuration and account management weaknesses on\nCG           05-018   Internet Security Systems Internet Scanner identified three hosts that\n                                                                                                      X\n                      were missing patches.\nCG           05-019   Formal procedures regarding access to the               data center have\n                                                                                                      X\n                      not been established and implemented.\nCG           05-021   System change request to modify transaction code 136-2 to                                  06-41\n                      automatically reestablish the funds as obligated was implemented in\n                      March 2006 within the          3.2 build. Currently, the automated\n                      process appeared to be operating effectively. However, from October\n                      2005 through March 2006, no mitigating controls such as procedures\n                      for training of staff and/or manual reviews were established to\n                      determine whether or not the re-obligation should be established to\n\n\n     Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                       129\n\x0c                                                                                                     Appendix C\n\n                                   Department of Homeland Security\n                               Information Technology Management Letter\n                                          September 30, 2006\n\n                                                                                                         Disposition\nComponent NFR No. Description                                                                      Closed       Repeat\n\n                      the associated UDO balance.\n\n                      Additionally,           management indicated that transaction code\n                          should not be automatically reestablishing the funds in the\n                      system. However, as we could not perform a complete analysis of\n                      the      posting logic in FY 2006 as noted in NFR CG IT-06-029,\n                      tra       n code     , as well as other codes, may still contain errors\n                      as of September 30, 2006.\n\nCG           05-022   \xe2\x80\xa2   A copy of the                            Disaster Recovery Plan has                   06-30\n                          been completed. However, the plan has not been tested.\n                      \xe2\x80\xa2   The DRP for the\n                                    has bee\n                          DRP has not taken place. The projected completion date is October\n                          2006.\n                      \xe2\x80\xa2   The DRP for the General Support System has been completed.\n                          However, testing of the GSS DRP is scheduled to take place by the\n                          end of the year.\n                      \xe2\x80\xa2   A copy of the Memorandum of Understanding (MOU) between\n                               and two other CG components who the OSC must rely on for\n                          various reasons at the off-site facility was cited in the Disaster\n                          Recovery Plan\n                      \xe2\x80\xa2   A finalized contract with the off-site facility was cited in the\n                          Disaster Recovery Plan. However, we were unable to obtain the\n                          signature page for it during our audit field work.\n\nCG           05-023        has not completed a security plan for CMPlus 5.\n                                                                                                     X\nCG           05-024   During our FY 2006 follow-up testing, we determined that           had                    06-031\n                      taken corrective action on several of the previously noted\n                      vulnerabilities, however several remained. The remaining\n                      vulnerabilities are in the following four areas:\n\n                      \xe2\x80\xa2   Account management - 2 high-risk vulnerabilities and 4 medium-\n                          risk vulnerabilities\n                      \xe2\x80\xa2   Configuration management \xe2\x80\x93 2 medium-risk vulnerabilities\n                      \xe2\x80\xa2   Patch management \xe2\x80\x93 3 high-risk vulnerabilities\n\nCG           05-025   During our FY 2006 testing, we determined that none of the           prior                06-032\n                      year vulnerabilities were corrected. As a result, the vulnerabilities\n                      present in FY 2006 are in the following four areas:\n\n                      \xe2\x80\xa2   Audit management \xe2\x80\x93 2 medium risk vulnerabilities\n                      \xe2\x80\xa2   Configuration management \xe2\x80\x93 3 high, 6 medium and 11 low risk\n                          vulnerabilities\n\n     Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                      130\n\x0c                                                                                                     Appendix C\n\n                                   Department of Homeland Security\n                               Information Technology Management Letter\n                                          September 30, 2006\n\n                                                                                                         Disposition\nComponent NFR No. Description                                                                      Closed       Repeat\n\n                      \xe2\x80\xa2   Password management \xe2\x80\x93 1 high and 5 medium risk vulnerabilities\n                      \xe2\x80\xa2   Patch management- 11 high, 12 medium and 12 low risk\n                          vulnerabilities\n\nCG           05-026        has initiated required changes on the application code on the\n                      server side. However the required update to the user workstations has          X\n                      not been completed.\nCG           05-027   As a result of our audit test work and supported by all the IT NFRs                       06-044\n                      issued during the current year, we determined that Coast Guard is\n                      non-compliant with the following laws and regulations:\n\n                      \xe2\x80\xa2   Federal Information Security Management Act of 2002 (FISMA)\n                      \xe2\x80\xa2   Federal Financial Management Improvement Act (FFMIA)\n                      \xe2\x80\xa2   Office of Management and Budget (OMB) Circular A-130\n\n\n\nCON          05-01    Two members of DHS OFM had excessive                          access                      06-01\n                      within DHS           We informed DHS OFM of the excessive\n                                      access and noted that DHS OFM removed both users\n                      with excessive                  access. We noted that corrective action\n                      has been taken and completed in the current fiscal year; however, this\n                      issue posed a risk for a majority of the fiscal year and therefore will be\n                      reported as a weakness for FY 2006.\nCON          05-02           new user access request forms were not consistently completed                      06-02\n                      prior to granting access to      . Specifically, one (1) out of a sample\n                      of eleven (11) did not have a supervisor\xe2\x80\x99s approval. Additionally, five\n                      (5) out of a sample of eleven (11) did not have         security manager\n                      review.\n\nCON          05-03    OFM has not developed procedures to periodically review             access                06-03\n                      lists in order to determine whether user access is valid, consistent with\n                      job responsibilities and in accordance with the principle of least\n                      privilege\nCON          05-04    Informal processes are followed for making changes to                          X\n                      and                does not have a version manager tool for template\n                      changes made to the application.\nCON          05-05    \xe2\x80\xa2 During our audit, the following configuration management                                06-04\n                           weaknesses were noted\n                      \xe2\x80\xa2 Segregation of duties violations exists for twelve (12) out of\n                           twenty-five (25) system changes made outside of the scheduled\n                                  Quarterly Releases.\n                      \xe2\x80\xa2 Segregation of duties violations exists for four (4) out of ten (10)\n                           emergency system changes made outside of the scheduled\n                           Quarterly Releases.\n\n\n     Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                      131\n\x0c                                                                                                Appendix C\n\n                                Department of Homeland Security\n                            Information Technology Management Letter\n                                       September 30, 2006\n\n                                                                                                  Disposition\nComponent NFR No. Description                                                                 Closed     Repeat\n\n                   \xe2\x80\xa2   Test documentation is not available for changes implemented\n                       outside of the scheduled      Quarterly Releases.\n\nCON        05-06   Discrepancies exist between the DHS Performance and Accountability                    06-15\n                   Report (PAR) Guidance and the Analytical Report\n\nCON        05-07   \xe2\x80\xa2    We determined that normal balance type indicated on the DHS                      06-16\n                        SGL for Account 4132 and Account 7280 differ from the normal\n                        balance type indicated on the US SGL.\n                   \xe2\x80\xa2 We determined that 101 DHS SGL accounts were not found in the\n                        US SGL and reported a zero balance for period 9. These accounts\n                        do not appear to be currently used by DHS and/or do not appear to\n                        be related to DHS operations.\nCON        05-08   There are no documented procedures in place for DHS components to                     06-05\n                   perform a formal review, by a separate approving individual, to verify\n                   the        financial data to the general ledger before moving the\n                   file from the Holding Area into the         Repository.\n\nCON        05-09   DHS is non-compliant with the Federal Information Security                            06-18\n                   Management Act\n\n\nFEMA       05-01   There are no procedures are in place to periodically review        user               06-03\n                   access lists to determine if access is still needed, including the\n                   development of a master listing of all employees and contractors\n                   developed and maintained by FSB.\n\nFEMA       05-02   \xe2\x80\xa2            users are not locked out of the system after three invalid               06-09\n                       logon attempts. In addition, we determined that upon locking a\n                       user account out of the system after three invalid logon attempts at\n                       the domain level, the user account becomes unlocked and active\n                       again after fifteen (15) minutes of inactivity.\n                   \xe2\x80\xa2                      settings on machines running Microsoft Windows\n                       2000 Professional disabled the user\xe2\x80\x99s ability to disable the\n                       password protected screensaver; however the\n                       settings did not disable the user\xe2\x80\x99s ability to ch\n                       threshold greater than the FEMA standard of fifteen minutes. This\n                       weakness impacts\n\nFEMA       05-03   The         production and test servers are located in very close                     06-04\n                   proximity of each other, which is not conducive to effective\n                   contingency planning efforts. We note that upon the implementation of\n                   the                Data Center\xe2\x80\x99s \xe2\x80\x9creal-time\xe2\x80\x9d back-up facility, both the\n                          test and production servers will be redundant, alleviating the\n                   current condition. However, the           back-up facility does not\n                   currently have that capability in place.\n\n   Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                  132\n\x0c                                                                                                   Appendix C\n\n                                Department of Homeland Security\n                            Information Technology Management Letter\n                                       September 30, 2006\n\n                                                                                                     Disposition\nComponent NFR No. Description                                                                    Closed     Repeat\n\n\n\nFEMA       05-04   Twenty-nine (29) terminated or separated FEMA employees and                              06-13\n                   contractors maintain active          user accounts. Additionally, we\n                   noted that two (2) terminated or separated FEMA employees maintain\n                   active           user accounts. The implementation of FEMA\n                   Instruction 1540.3 as a form of access controls review is not sufficient\n                   because FEMA is only performing reviews over current year\n                   terminations and separations, and has not performed reviews over\n                   legacy users to ensure that all users have valid access.\nFEMA       05-05   \xe2\x80\xa2 The             ST&E did not provide adequate documentation of the                     06-05\n                        results to the accrediting authority. The         ST&E included\n                        thorough testing of managerial, operational and technical controls\n                        and identified 88 vulnerabilities; however, the vulnerabilities listed\n                        in the         report were only identified as one POA&M weakness\n                        in the         POA&M\n                   \xe2\x80\xa2   Of the 10 systems deemed critical for which the C&A process was\n                       completed, we noted that the following four systems did not\n                       include any documentation of their ST&E results in the ATO\n                       package:\n                   \xe2\x80\xa2   FEMA has completed a majority of the            migration from\n                       Microsoft Windows 2000 Professional to Linux except for a few\n                       aspects of the migration dealing with Individual Assistance and\n                       various regional sites. We noted that these major changes to the\n                       system warrant that the          C&A process be re-performed.\nFEMA       05-06                     settings on machines running Microsoft Windows                         06-10\n                   2000 Professional prevented the user\xe2\x80\x99s ability to disable the password\n                   protected screensaver; however the                     settings did not\n                   prevent the user\xe2\x80\x99s ability to change                   shold. The\n                   implementation of a password protected screensaver as a mitigating\n                   control for lacking a second form of authentication is not sufficient if\n                   users have the ability to change the inactivity threshold greater than the\n                   FEMA standard of fifteen minutes. This weakness impacts\n\nFEMA       05-07   There is not formal, documented procedures are in place to require                       06-06\n                   updates to the         system documentation as          functions are\n                   added, deleted, or modified.\nFEMA       05-08   \xe2\x80\xa2 FEMA did not adequately document testing of the Contingency                            06-07\n                       Plan for         . Although a table-top test of the\n                       Contingency Plan was completed on February 1             , the\n                       table top test did not adequately test the IT components of the\n                       system/processes.\n                   \xe2\x80\xa2 FEMA does not have an accurate Contingency Plan for\n                       The most recent version of the            Contingency Plan is dated\n                       July 19, 2004. However, since that time, FEMA has nearly\n\n   Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                    133\n\x0c                                                                                                 Appendix C\n\n                                Department of Homeland Security\n                            Information Technology Management Letter\n                                       September 30, 2006\n\n                                                                                                   Disposition\nComponent NFR No. Description                                                                  Closed     Repeat\n\n                       completed its migration of         from Microsoft Windows 2000\n                       Professional to the      operating system and is adding a Small\n                       Business Administration web interface.\nFEMA       05-09   The FEMA COOP has prioritized each of its 12 critical Information                      06-08\n                   Technology (IT) systems according to criticality of the systems;\n                   however, the FEMA COOP has not been updated to take into account\n                   the new listing of FEMA critical IT systems. We confirmed with the\n                   Office of Cyber Security (OCS) and ONSC that the updated listing of\n                   FEMA mission critical IT systems should be represented in the FEMA\n                   COOP.\n\nFEMA       05-10   During our techni                   guration management weaknesses                     06-02\n                   were identified on                   and key support servers.\n                   Specifically, servers were identified with password and auditing\n                   configuration weaknesses, and version weaknesses.\nFEMA       05-11   During our technical testing, configuration management weaknesses                      06-02\n                   were identified on                   and key support servers.\n                   Specifically, servers were identified with password and auditing\n                   configuration weaknesses, and version weaknesses.\nFEMA       05-12   During our technical testing, configuration management weaknesses                      06-02\n                   were identified on                   and key support servers.\n                   Specifically, servers were identified with password and auditing\n                   configuration weaknesses, and version weaknesses.\nFEMA       05-13   During our technical testing, patch management weaknesses were                         06-01\n                   identified on         servers. Specifically, as a result of missing\n                   patches, the         servers were vulnerable to buffer overflow\n                   vulnerabilities.\nFEMA       05-14   Twenty-one (21) users in                 and eight (8) users in                        06-27\n                         have the ability to gain access to the account mapping          ns\n                   and make changes to the account tables. Of the 21 users in\n                          nine (9) users do not have a real business need to have access to\n                   this function. The 9 users that appear to have excessive access consist\n                   of         developers or others with system administrative access.\n                   Additionally, of the 8 users in               six (6) users do not have a\n                   real business need to have access to this function.\n\n                   Additionally, excessive access is designed to be permitted within\n                           to make offline changes to the general ledger account tables via\n                   the                                                            Group.\n                   Currently, we identified five (5) users in the         group that have\n                   the ability to make offline changes to the general ledger account tables.\n                   Of the five users, four (4) users do not have a real business need to\n                   have access to this function.\n\n\n\n\n   Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                   134\n\x0c                                                                                                Appendix C\n\n                                Department of Homeland Security\n                            Information Technology Management Letter\n                                       September 30, 2006\n\n                                                                                                    Disposition\nComponent NFR No. Description                                                                 Closed       Repeat\n\nG&T        05-04   Three users who have been assigned privileges that allow them to                        06-12\n                   enter, modify, and approve journal vouchers. According to their job\n                   functions and responsibilities, these users should only have the ability\n                   to enter journal vouchers.\n\n                   In addition, two users who have been assigned privileges (e.g.\n                                  ) that allow them to modify vendor tables, and allow\n                   them to open and close fiscal years.\nG&T        05-06   The following weaknesses were identified as a part of the FY 2006                       06-06\n                   Department of Justice, Office of Justice Programs (OJP) Financial\n                   Statement Audit and impact the reliance G&T has on OJP\xe2\x80\x99s IT control\n                   environment:\n\n                   Access Controls:\n                   \xe2\x80\xa2 Procedures for Generic User Accounts Not Documented.\n                   \xe2\x80\xa2 Periodic Recertification of OJP Application and System Accounts\n                      Not Consistently Performed.\n                   \xe2\x80\xa2 OJP does maintain log of changes to security profiles.\n\n                   Application Change Controls:\n                   \xe2\x80\xa2 Application and System Change Controls Procedures and\n                      Processes Need Improvement.\n\n                   Service Continuity:\n                   \xe2\x80\xa2   Tape Backup Polices and Procedures and Documentation Storage\n                       Requirements Need Enhancement.\n\n                   System Software:\n                   \xe2\x80\xa2   General Support System Configurations Need Enhancement.\n\nG&T        05-12   Segregation of duties is not properly enforced. The SLGCP has not            X\n                   formed a separate Information Systems department and has yet to\n                   develop policies or procedures outlining segregation of duties controls\n                   or procedures\nG&T        05-13   1 out of 6 G&T terminated employees access was not removed from                         06-07\n                   the Web 269 application within a timely manner (i.e. two business\n                   days).\n\nTSA        05-01   Formal procedures regarding access to the Coast Guard                        X\n                               data center have not been established and implemented.\nTSA        05-03                   change control process supporting                            X\n                                                                              have\n                   weaknesses including: procedures in support of the finalized CM\n                   policy are not developed, documentation supporting a risk assessment\n                   is not maintained, formal change requests are not used, and test plans\n\n   Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                  135\n\x0c                                                                                                 Appendix C\n\n                                Department of Homeland Security\n                            Information Technology Management Letter\n                                       September 30, 2006\n\n                                                                                                     Disposition\nComponent NFR No. Description                                                                  Closed       Repeat\n\n                   and test results are not documented.\nTSA        05-04   The            Business Contingency and Disaster Recovery Plan                           06-01\n                   (collectively referred to as the DRBC) is approximately 70%\n                   completed, with full completion expected by September 30, 2006.\n                   Because the plan is in draft form it has not yet been tested, and a\n                   tabletop exercise has been planned upon completion of the DRBC.\n\nTSA        05-05   No documented procedures exist for controlling the processes                  X\n                   associated with the granting, monitoring, and termination of user\n                   accounts within       have not been documented.\nTSA        05-06   \xe2\x80\xa2 Manager Review of System Administration Monitor Procedures                             06-13\n                       have been developed that guide managers in performing periodic\n                       system administration monitoring reviews. However, the\n                       procedures do not note the periods of review that are being\n                       monitored, who is responsible for performing the reviews and\n                       evidence that the manager review was performed could only be\n                       obtained for March 2006. Additionally, although the manager\n                       reviews were implemented in March 2006, for the first half of the\n                       fiscal year, October through March,          system administration\n                       monitoring was not performed by a manager or group outside of\n                       the three systems administrators during that time period.\n                   \xe2\x80\xa2 The access request form for one out of four individuals granted\n                       access to         ince October 1, 2005, did not contain the\n                       supervisor\xe2\x80\x99s approval.\n                   \xe2\x80\xa2 The account of a contractor that left             in October 2005\n                       remained active until May 2006. Once the system administrators\n                       were notified of the active account, it was deleted.\nTSA        05-07                                                                                 X\n                   Certification and Accreditations (C&A) for the\n                                                               were not complete.\n                   Specifically, security testing and evaluations (ST&Es) were incomplete\n                   and security plans had not been updated.\nTSA        05-08             has not implemented formal procedures for the periodic              X\n                   management review and monitoring of activities of           database\n                   administrators and system administrators or the                accounts.\nTSA        05-09   The Enterprise Security Management tool identified world writeable            X\n                   directories without a sticky bit set, and account management\n                   weaknesses over DART.\nTSA        05-10   During technical testing patch management weaknesses were identified                 06-08 & 06-09\n                   on hosts supporting the                  applications. Many of these\n                   vulnerabilities could allow a remote attacker to gain full control of the\n                   affected host and could lead to the compromise of the availability,\n                   confidentiality and integrity o                 data.\n\n                   During technical testing configuration management weaknesses were\n\n\n   Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                   136\n\x0c                                                                                               Appendix C\n\n                                Department of Homeland Security\n                            Information Technology Management Letter\n                                       September 30, 2006\n\n                                                                                                   Disposition\nComponent NFR No. Description                                                                Closed       Repeat\n\n                   identified on hosts supporting the                applications.\n                   Specifically, servers were identified with excessive access privileges,\n                   and password and auditing configuration weaknesses.\nTSA        05-11   Internet Security Systems Internet Scanner identified three hosts that      X\n                   were missing patches.\nTSA        05-12   Inaccuracies exist within TSA personnel records which addresses both        X\n                   separated employee issue and other erroneous personnel records.\n\n\n\n\n   Information Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                                  137\n\x0c                                                                            Appendix D\n\n                           Department of Homeland Security\n                       Information Technology Management Letter\n                                  September 30, 2006\n\n\n\n\nInformation Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                         138\n\x0c                                                                            Appendix D\n\n                           Department of Homeland Security\n                       Information Technology Management Letter\n                                  September 30, 2006\n\n\n\n\nInformation Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                         139\n\x0c                                                                            Appendix D\n\n                           Department of Homeland Security\n                       Information Technology Management Letter\n                                  September 30, 2006\n\n\n\n\nInformation Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                         140\n\x0c                                                                            Appendix D\n\n                           Department of Homeland Security\n                       Information Technology Management Letter\n                                  September 30, 2006\n\n\n\n\nInformation Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                         141\n\x0c                                                                            Appendix D\n\n                           Department of Homeland Security\n                       Information Technology Management Letter\n                                  September 30, 2006\n\n\n\n\nInformation Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                         142\n\x0c                                                                            Appendix D\n\n                           Department of Homeland Security\n                       Information Technology Management Letter\n                                  September 30, 2006\n\n\n\n\nInformation Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                         143\n\x0c                                                                            Appendix D\n\n                           Department of Homeland Security\n                       Information Technology Management Letter\n                                  September 30, 2006\n\n\n\n\nInformation Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                         144\n\x0c                                                                            Appendix D\n\n                           Department of Homeland Security\n                       Information Technology Management Letter\n                                  September 30, 2006\n\n\n\n\nInformation Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                         145\n\x0c                                                                            Appendix D\n\n                           Department of Homeland Security\n                       Information Technology Management Letter\n                                  September 30, 2006\n\n\n\n\nInformation Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                         146\n\x0c                                                                            Appendix D\n\n                           Department of Homeland Security\n                       Information Technology Management Letter\n                                  September 30, 2006\n\n\n\n\nInformation Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                         147\n\x0c                                                                            Appendix D\n\n                           Department of Homeland Security\n                       Information Technology Management Letter\n                                  September 30, 2006\n\n\n\n\nInformation Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\n                                         148\n\x0c                   Report Distribution\n\n                   Department of Homeland Security\n\n                   Secretary\n                   Deputy Secretary\n                   General Counsel\n                   Chief of Staff\n                   Deputy Chief of Staff\n                   Executive Secretariat\n                   Under Secretary, Management\n                   Chief Information Officer\n                   Chief Financial Officer\n                   Chief Information Security Officer\n                   Assistant Secretary, Public Affairs\n                   Assistant Secretary, Legislative Affairs\n                   Assistant Secretary, Policy\n                   DHS Audit Liaison\n                   Chief Information Officer, Audit Liaison\n                   Chief Privacy Officer\n\n                   Office of Management and Budget\n\n                   Chief, Homeland Security Branch\n                   DHS OIG Budget Examiner\n\n                   Congress\n\n                   Congressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\nInformation Technology Management Letter for the FY 2006 DHS Financial Statement Audit\n\x0cAdditional Information and Copies\n\nTo obtain additional copies of this report, call the Office of Inspector General\n(OIG) at (202) 254-4199, fax your request to (202) 254-4305, or visit the OIG web\nsite at www.dhs.gov/oig.\n\n\nOIG Hotline\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of\ncriminal or noncriminal misconduct relative to department programs or\noperations:\n\n    \xe2\x80\xa2   Call our Hotline at 1-800-323-8603;\n    \xe2\x80\xa2   Fax the complaint directly to us at (202) 254-4292;\n    \xe2\x80\xa2   Email us at DHSOIGHOTLINE@dhs.gov; or\n    \xe2\x80\xa2   Write to us at:\n          DHS Office of Inspector General/MAIL STOP 2600, Attention:\n          Office of Investigations - Hotline, 245 Murray Drive, SW, Building 410,\n          Washington, DC 20528.\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'